manualshive.com logo in svg

Cisco 2811 Series, Operations, Page: 14 / 30

Share
Download
Cisco 2811 Series Operations Download Page 14

 

14

Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy

OL-8663-01

  Cisco 2811 and Cisco 2821 Routers

Step 5

The tamper evidence label should be placed so that the one half of the label covers the enclosure and the 
other half covers the rear panel.

Step 6

The labels completely cure within five minutes.

Figure 9

 and 

Figure 10

 show the tamper evidence label placements for the Cisco 2821.

Figure 9

Cisco 2821 Tamper Evident Label Placement (Back View)

Figure 10

Cisco 2821 Tamper Evident Label Placement (Front View)

The tamper evidence seals are produced from a special thin gauge vinyl with self-adhesive backing. Any 
attempt to open the router will damage the tamper evidence seals or the material of the module cover. 
Since the tamper evidence seals have non-repeated serial numbers, they can be inspected for damage and 
compared against the applied serial numbers to verify that the module has not been tampered. Tamper 
evidence seals can also be inspected for signs of tampering, which include the following: curled corners, 
bubbling, crinkling, rips, tears, and slices. The word “OPEN” may appear if the label was peeled back.

Cryptographic Key Management

The router securely administers both cryptographic keys and other critical security parameters such as 
passwords. The tamper evidence seals provide physical protection for all keys. All keys are also 
protected by the password-protection on the Crypto Officer role login, and can be zeroized by the Crypto 
Officer. All zeroization consists of overwriting the memory that stored the key. Keys are exchanged and 
entered electronically or via Internet Key Exchange (IKE).

Summary of Contents for 2811 Series

Page 1: ...nd how to operate the router enabled in a secure FIPS 140 2 mode This policy was prepared aspart of the Level 2 FIPS 140 2 validation of the Cisco 2811 or Cisco 2821 Integrated Services Router FIPS 140 2 Federal Information Processing Standards Publication 140 2 Security Requirements for Cryptographic Modules details the U S Government requirements for cryptographic modules More information about ...

Page 2: ...to this document the Submission Package contains Vendor Evidence document Finite State Machine Other supporting documentation as additional references This document provides an overview of the routers and explains their secure configuration and operation This introduction section is followed by the Cisco 2811 and Cisco 2821 Routers section on page 2 which details the general features and functiona...

Page 3: ...hysical Interfaces The Cisco 2811 router features a console port an auxiliary port two Universal Serial Bus USB ports four high speed WAN interface card HWIC slots two10 100 Gigabit Ethernet RJ45 ports an Enhanced Network Module ENM slot and a Compact Flash CF drive The Cisco 2811 router supports one single width network module four single width or two double width HWICs two internal advanced inte...

Page 4: ...slots 8 ENM slot Table 1 and Table 2 provide more detailed information conveyed by the LEDs on the front and rear panel of the router 1 However an AIM module may not be installed in accordance with this security policy There is a separate security policy covering the Cisco 2811 and Cisco 2821 routers with AIM module installed Table 1 Cisco 2811 Front Panel Indicators Name State Description System ...

Page 5: ...nitialized error PVDM0 Off Solid Green Solid Orange PVDM0 not installed PVDM0 installed and initialized PVDM0 installed and initialized error AIM1 Off Solid Green Solid Orange AIM1 not installed AIM1 installed and initialized AIM1 installed and initialized error AIM0 Off Solid Green Solid Orange AIM0 not installed AIM0 installed and initialized AIM0 installed and initialized error Table 3 Cisco 28...

Page 6: ...amper evident seal will be placed over the card in the drive Table 4 Cisco 2811 FIPS 140 2 Logical Interfaces Router Physical Interface FIPS 140 2 Logical Interface 10 100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot Data Input Interface 10 100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot Data Output Interface 10 100 Ethernet LAN Ports HWIC Ports Power S...

Page 7: ...ns The cryptographic boundary of the module is the device s case All of the functionality discussed in this document is provided by components within this cryptographic boundary The interfaces for the router are located on the front and rear panel as shown in Figure 5and Figure 6 respectively Figure 5 Cisco 2821 Front Panel Physical Interfaces 95903 Do Not Remove During Network Operation COMPACT F...

Page 8: ...ront panel and Figure 6 shows the rear panel The front panel contains 4 LEDs that output status data about the system power auxiliary power system activity and compact flash busy status The back panel consists of 13 LEDs two Ethernet activity LEDs two duplex LEDs two speed LEDs two link LEDs three PVDM LEDs and two AIM LEDs The front panel contains the following 1 Power inlet 2 Power switch 3 Cons...

Page 9: ...d Green No interrupts or packet transfer occurring System is servicing interrupts System is actively transferring packets Compact Flash Off Solid Green No ongoing accesses eject permitted Device is busy do not eject Table 6 Cisco 2821 Rear Panel Indicators Name State Description PVDM2 Off Solid Green Solid Orange PVDM2 not installed PVDM2 installed and initialized PVDM2 installed and initialized e...

Page 10: ...ex Off Solid Green Half Duplex Full Duplex Speed One Blink Green Two Blink Green 10 Mbps 100 Mbps Link Off Solid Green No link established Ethernet link is established Table 8 Cisco 2821 FIPS 140 2 Logical Interfaces Router Physical Interface FIPS 140 2 Logical Interface 10 100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot VeNoM Slot Data Input Interface 10 100 Ethernet LAN Po...

Page 11: ...ete description of all the management and configuration capabilities of the router can be found in the Performing Basic System Management manual and in the online help for the router User Services Users enter the system by accessing the console port with a terminal program or via IPSec protected telnet or SSH session to a LAN port The IOS prompts the User for username and password If the password ...

Page 12: ...w complete configurations manage user rights and restore router configurations Set Encryption Bypass Set up the configuration tables for IP tunneling Set keys and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address Physical Security The router is entirely encased by a metal opaque case The rear of the unit contains HWIC WIC VIC connectors LAN conn...

Page 13: ...l Placement Front View To apply serialized tamper evidence labels to the Cisco 2821 Step 1 Clean the cover of any grease dirt or oil before applying the tamper evidence labels Alcohol based cleaning pads are recommended for this purpose The temperature of the router should be above 10 C Step 2 The tamper evidence label should be placed so that one half of the label covers the front panel and the o...

Page 14: ...r the material of the module cover Since the tamper evidence seals have non repeated serial numbers they can be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered Tamper evidence seals can also be inspected for signs of tampering which include the following curled corners bubbling crinkling rips tears and slices The word OPEN may ap...

Page 15: ... entered electronically Internet Key Exchange method with support for pre shared keys exchanged and entered electronically The pre shared keys are used with Diffie Hellman key agreement technique to derive DES 3DES or AES keys The pre shared key is also used to derive HMAC SHA 1 key The module supports commercially available Diffie Hellman for key establishment See the Cisco IOS Reference Guide Al...

Page 16: ... after this it is reseeded with router derived entropy hence it is zeroized periodically Also the operator can turn off the router to zeroize this CSP DRAM plaintext Automatically every 400 bytes or turn off the router Diffie Hellman private exponent DH The private exponent used in Diffie Hellman DH exchange Zeroized after DH shared secret has been generated DRAM plaintext Automatically after shar...

Page 17: ...tion key 1 Shared secret This key is used by the router to authenticate itself to the peer The router itself gets the password that is used as this key from the AAA server and sends it onto the peer The password retrieved from the AAA server is zeroized upon completion of the authentication attempt DRAM plaintext Automatically upon completion of authentication attempt PPP authentication key RFC 13...

Page 18: ...roized by executing the no radius server key command NVRAM plaintext DRAM plaintext no radius server key TACACS secret Shared Secret The TACACS shared secret This shared secret is zeroized by executing the no tacacs server key command NVRAM plaintext DRAM plaintext no tacacs server key Table 10 Role and Service Access to CSP Note An empty entry indicates that a particular SRDI is not accessible by...

Page 19: ...hared r r w d IKE hash key r r w d secret_1_0_0 r r w d IPSec encryption key r r w d Table 10 Role and Service Access to CSP Continued Note An empty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI Role Service Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto Officer Role Configure the Rou...

Page 20: ...w d User password r r w d Enable password r w d Enable secret r w d RADIUS secret r w d TACACS secret r w d Table 10 Role and Service Access to CSP Continued Note An empty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI Role Service Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto Officer...

Page 21: ... periodically or conditionally include a bypass mode test performed conditionally prior to executing IPSec and a continuous random number generator test If any of the self tests fail the router transitions into an error state In the error state all secure data transmission is halted and the router outputs status information indicating the failure Examples of the errors that cause the system to tra...

Page 22: ...ive access to the module without the password will not be possible System Initialization and Configuration The Crypto Officer must perform the initial configuration IOS version 12 3 11 T03 Advanced Security build advsecurity is the only allowable image no other image should be loaded The value of the boot field must be 0x0102 This setting disables break from the console to the ROM monitor and auto...

Page 23: ... Since SNMP v2C uses community strings for authentication only gets are allowed under SNMP v2C SSL is not an Approved protocol and shall not be used in FIPS mode Remote Access Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec ...

Page 24: ...y of technical product documentation on portable media The DVD enables you to access multiple versions of hardware and software installation configuration and command guides for Cisco products and to view technical documentation in HTML With the DVD you have access to the same documentation that is found on the Cisco website without being connected to the Internet Certain products also have pdf ve...

Page 25: ...ce with security incidents that involve Cisco products Register to receive security information from Cisco A current list of security advisories and notices for Cisco products is available at this URL http www cisco com go psirt If you prefer to see advisories and notices as they are updated in real time you can access a Product Security Incident Response Team Really Simple Syndication PSIRT RSS f...

Page 26: ...hnical Support Documentation Website The Cisco Technical Support Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day at this URL http www cisco com techsupport Access to all tools on the Cisco Technical Support Documentation website requires a Cisco com user ID and ...

Page 27: ... contacts go to this URL http www cisco com techsupport contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format Cisco has established severity definitions Severity 1 S1 Your network is down or there is a critical impact to your business operations You and Cisco will commit all necessary resources around the clock to resolve the situati...

Page 28: ...heir business and expand services The publication identifies the challenges facing these companies and the technologies to help solve them using real world case studies and business strategies to help readers make sound technology investment decisions You can access iQ Magazine at this URL http www cisco com go iqmagazine or view the digital edition at this URL http ciscoiq texterity com ciscoiq s...

Page 29: ...isco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Empowering the Internet Generation Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step FormShare GigaDrive GigaStack HomeLink Internet Quotient IOS IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard LightStream Linksys MeetingPlace MGX the Networkers logo Networking Academy Network Registrar Packet ...

Page 30: ...30 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140 2 Non Proprietary Security Policy OL 8663 01 Obtaining Additional Publications and Information ...

Reviews:

No comments