manualshive.com logo in svg

Cisco 2811 Series, Operations, Page: 17 / 30

Share
Download
Cisco 2811 Series Operations Download Page 17

 

17

Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy

OL-8663-01

  Cisco 2811 and Cisco 2821 Routers

ISAKMP 
preshared

Secret

The key used to generate IKE skeyid during 
preshared-key authentication. “no crypto isakmp 
key” command zeroizes it. This key can have two 
forms based on whether the key is related to the 
hostname or the IP address.

NVRAM 
(plaintext )

“# no crypto isakmp 
key”

IKE hash key

SHA-1 
HMAC

This key generates the IKE shared secret keys. 
This key is zeroized after generating those keys.

DRAM 
(plaintext)

secret_1_0_0

The fixed key used in Cisco vendor ID generation. 
This key is embedded in the module binary image 
and can be deleted by erasing the Flash.

NVRAM 
(plaintext)

IPSec 
encryption key

DES/TDES
/AES

The IPSec encryption key. Zeroized when IPSec 
session is terminated.

DRAM 
(plaintext)

Automatically when 
IPSec session 
terminated.

IPSec 
authentication 
key

SHA-1 
HMAC or 
DES MAC

The IPSec authentication key. The zeroization is 
the same as above.

DRAM 
(plaintext)

Automatically when 
IPSec session 
terminated.

Configuration 
encryption key

AES

The key used to encrypt values of the 
configuration file. This key is zeroized when the 
“no key config-key” is issued. Note that this 
command does 

not

 decrypt the configuration file, 

so zeroize with care.

NVRAM 
(plaintext )

“# no key config-key”

Router 
authentication 
key 1

Shared 
secret

This key is used by the router to authenticate itself 
to the peer. The router itself gets the password 
(that is used as this key) from the AAA server and 
sends it onto the peer. The password retrieved 
from the AAA server is zeroized upon completion 
of the authentication attempt.

DRAM 
(plaintext)

Automatically upon 
completion of 
authentication attempt.

PPP 
authentication 
key

RFC 1334

The authentication key used in PPP. This key is in 
the DRAM and not zeroized at runtime. One can 
turn off the router to zeroize this key because it is 
stored in DRAM.

DRAM 
(plaintext)

Turn off the router.

Router 
authentication 
key 2

Shared 
Secret

This key is used by the router to authenticate itself 
to the peer. The key is identical to Router 
authentication key 1 except that it is retrieved 
from the local database (on the router itself). 
Issuing the “no username password” zeroizes the 
password (that is used as this key) from the local 
database.

NVRAM 
(plaintext)

“# no username 
password”

SSH session 
key

Various 
symmetric

This is the SSH session key. It is zeroized when 
the SSH session is terminated.

DRAM 
(plaintext)

Automatically when 
SSH session terminated

User password Shared 

Secret

The password of the User role. This password is 
zeroized by overwriting it with a new password.

NVRAM 
(plaintext)

Overwrite with new 
password

Enable 
password

Shared 
Secret

The plaintext password of the CO role. This 
password is zeroized by overwriting it with a new 
password.

NVRAM 
(plaintext)

Overwrite with new 
password

Table 9

Cryptographic Keys and CSPs (Continued)

Summary of Contents for 2811 Series

Page 1: ...nd how to operate the router enabled in a secure FIPS 140 2 mode This policy was prepared aspart of the Level 2 FIPS 140 2 validation of the Cisco 2811 or Cisco 2821 Integrated Services Router FIPS 140 2 Federal Information Processing Standards Publication 140 2 Security Requirements for Cryptographic Modules details the U S Government requirements for cryptographic modules More information about ...

Page 2: ...to this document the Submission Package contains Vendor Evidence document Finite State Machine Other supporting documentation as additional references This document provides an overview of the routers and explains their secure configuration and operation This introduction section is followed by the Cisco 2811 and Cisco 2821 Routers section on page 2 which details the general features and functiona...

Page 3: ...hysical Interfaces The Cisco 2811 router features a console port an auxiliary port two Universal Serial Bus USB ports four high speed WAN interface card HWIC slots two10 100 Gigabit Ethernet RJ45 ports an Enhanced Network Module ENM slot and a Compact Flash CF drive The Cisco 2811 router supports one single width network module four single width or two double width HWICs two internal advanced inte...

Page 4: ...slots 8 ENM slot Table 1 and Table 2 provide more detailed information conveyed by the LEDs on the front and rear panel of the router 1 However an AIM module may not be installed in accordance with this security policy There is a separate security policy covering the Cisco 2811 and Cisco 2821 routers with AIM module installed Table 1 Cisco 2811 Front Panel Indicators Name State Description System ...

Page 5: ...nitialized error PVDM0 Off Solid Green Solid Orange PVDM0 not installed PVDM0 installed and initialized PVDM0 installed and initialized error AIM1 Off Solid Green Solid Orange AIM1 not installed AIM1 installed and initialized AIM1 installed and initialized error AIM0 Off Solid Green Solid Orange AIM0 not installed AIM0 installed and initialized AIM0 installed and initialized error Table 3 Cisco 28...

Page 6: ...amper evident seal will be placed over the card in the drive Table 4 Cisco 2811 FIPS 140 2 Logical Interfaces Router Physical Interface FIPS 140 2 Logical Interface 10 100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot Data Input Interface 10 100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot Data Output Interface 10 100 Ethernet LAN Ports HWIC Ports Power S...

Page 7: ...ns The cryptographic boundary of the module is the device s case All of the functionality discussed in this document is provided by components within this cryptographic boundary The interfaces for the router are located on the front and rear panel as shown in Figure 5and Figure 6 respectively Figure 5 Cisco 2821 Front Panel Physical Interfaces 95903 Do Not Remove During Network Operation COMPACT F...

Page 8: ...ront panel and Figure 6 shows the rear panel The front panel contains 4 LEDs that output status data about the system power auxiliary power system activity and compact flash busy status The back panel consists of 13 LEDs two Ethernet activity LEDs two duplex LEDs two speed LEDs two link LEDs three PVDM LEDs and two AIM LEDs The front panel contains the following 1 Power inlet 2 Power switch 3 Cons...

Page 9: ...d Green No interrupts or packet transfer occurring System is servicing interrupts System is actively transferring packets Compact Flash Off Solid Green No ongoing accesses eject permitted Device is busy do not eject Table 6 Cisco 2821 Rear Panel Indicators Name State Description PVDM2 Off Solid Green Solid Orange PVDM2 not installed PVDM2 installed and initialized PVDM2 installed and initialized e...

Page 10: ...ex Off Solid Green Half Duplex Full Duplex Speed One Blink Green Two Blink Green 10 Mbps 100 Mbps Link Off Solid Green No link established Ethernet link is established Table 8 Cisco 2821 FIPS 140 2 Logical Interfaces Router Physical Interface FIPS 140 2 Logical Interface 10 100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot VeNoM Slot Data Input Interface 10 100 Ethernet LAN Po...

Page 11: ...ete description of all the management and configuration capabilities of the router can be found in the Performing Basic System Management manual and in the online help for the router User Services Users enter the system by accessing the console port with a terminal program or via IPSec protected telnet or SSH session to a LAN port The IOS prompts the User for username and password If the password ...

Page 12: ...w complete configurations manage user rights and restore router configurations Set Encryption Bypass Set up the configuration tables for IP tunneling Set keys and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address Physical Security The router is entirely encased by a metal opaque case The rear of the unit contains HWIC WIC VIC connectors LAN conn...

Page 13: ...l Placement Front View To apply serialized tamper evidence labels to the Cisco 2821 Step 1 Clean the cover of any grease dirt or oil before applying the tamper evidence labels Alcohol based cleaning pads are recommended for this purpose The temperature of the router should be above 10 C Step 2 The tamper evidence label should be placed so that one half of the label covers the front panel and the o...

Page 14: ...r the material of the module cover Since the tamper evidence seals have non repeated serial numbers they can be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered Tamper evidence seals can also be inspected for signs of tampering which include the following curled corners bubbling crinkling rips tears and slices The word OPEN may ap...

Page 15: ... entered electronically Internet Key Exchange method with support for pre shared keys exchanged and entered electronically The pre shared keys are used with Diffie Hellman key agreement technique to derive DES 3DES or AES keys The pre shared key is also used to derive HMAC SHA 1 key The module supports commercially available Diffie Hellman for key establishment See the Cisco IOS Reference Guide Al...

Page 16: ... after this it is reseeded with router derived entropy hence it is zeroized periodically Also the operator can turn off the router to zeroize this CSP DRAM plaintext Automatically every 400 bytes or turn off the router Diffie Hellman private exponent DH The private exponent used in Diffie Hellman DH exchange Zeroized after DH shared secret has been generated DRAM plaintext Automatically after shar...

Page 17: ...tion key 1 Shared secret This key is used by the router to authenticate itself to the peer The router itself gets the password that is used as this key from the AAA server and sends it onto the peer The password retrieved from the AAA server is zeroized upon completion of the authentication attempt DRAM plaintext Automatically upon completion of authentication attempt PPP authentication key RFC 13...

Page 18: ...roized by executing the no radius server key command NVRAM plaintext DRAM plaintext no radius server key TACACS secret Shared Secret The TACACS shared secret This shared secret is zeroized by executing the no tacacs server key command NVRAM plaintext DRAM plaintext no tacacs server key Table 10 Role and Service Access to CSP Note An empty entry indicates that a particular SRDI is not accessible by...

Page 19: ...hared r r w d IKE hash key r r w d secret_1_0_0 r r w d IPSec encryption key r r w d Table 10 Role and Service Access to CSP Continued Note An empty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI Role Service Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto Officer Role Configure the Rou...

Page 20: ...w d User password r r w d Enable password r w d Enable secret r w d RADIUS secret r w d TACACS secret r w d Table 10 Role and Service Access to CSP Continued Note An empty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI Role Service Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto Officer...

Page 21: ... periodically or conditionally include a bypass mode test performed conditionally prior to executing IPSec and a continuous random number generator test If any of the self tests fail the router transitions into an error state In the error state all secure data transmission is halted and the router outputs status information indicating the failure Examples of the errors that cause the system to tra...

Page 22: ...ive access to the module without the password will not be possible System Initialization and Configuration The Crypto Officer must perform the initial configuration IOS version 12 3 11 T03 Advanced Security build advsecurity is the only allowable image no other image should be loaded The value of the boot field must be 0x0102 This setting disables break from the console to the ROM monitor and auto...

Page 23: ... Since SNMP v2C uses community strings for authentication only gets are allowed under SNMP v2C SSL is not an Approved protocol and shall not be used in FIPS mode Remote Access Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec ...

Page 24: ...y of technical product documentation on portable media The DVD enables you to access multiple versions of hardware and software installation configuration and command guides for Cisco products and to view technical documentation in HTML With the DVD you have access to the same documentation that is found on the Cisco website without being connected to the Internet Certain products also have pdf ve...

Page 25: ...ce with security incidents that involve Cisco products Register to receive security information from Cisco A current list of security advisories and notices for Cisco products is available at this URL http www cisco com go psirt If you prefer to see advisories and notices as they are updated in real time you can access a Product Security Incident Response Team Really Simple Syndication PSIRT RSS f...

Page 26: ...hnical Support Documentation Website The Cisco Technical Support Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day at this URL http www cisco com techsupport Access to all tools on the Cisco Technical Support Documentation website requires a Cisco com user ID and ...

Page 27: ... contacts go to this URL http www cisco com techsupport contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format Cisco has established severity definitions Severity 1 S1 Your network is down or there is a critical impact to your business operations You and Cisco will commit all necessary resources around the clock to resolve the situati...

Page 28: ...heir business and expand services The publication identifies the challenges facing these companies and the technologies to help solve them using real world case studies and business strategies to help readers make sound technology investment decisions You can access iQ Magazine at this URL http www cisco com go iqmagazine or view the digital edition at this URL http ciscoiq texterity com ciscoiq s...

Page 29: ...isco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Empowering the Internet Generation Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step FormShare GigaDrive GigaStack HomeLink Internet Quotient IOS IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard LightStream Linksys MeetingPlace MGX the Networkers logo Networking Academy Network Registrar Packet ...

Page 30: ...30 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140 2 Non Proprietary Security Policy OL 8663 01 Obtaining Additional Publications and Information ...

Reviews:

No comments