manualshive.com logo in svg

Cisco 7606-S, User Manual

Looking for a comprehensive User Manual for Cisco 7606-S? Look no further! Download the manual for free from manualshive.com, and gain access to detailed instructions, troubleshooting tips, and valuable insights to unlock the full potential of your Cisco 7606-S. Get your hands on it now!

Share
Download
background image

© Copyright 2011 Cisco Systems, Inc. 

 

 

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  

 
 
 

11

status. 

Manage the router 
(r, w)

 

Log off users, shutdown or reload the 
router, erase the flash memory, 
manually back up router 
configurations, view complete 
configurations, manager user rights, 
and restore router configurations. 

User password, Enable 
password, RADIUS secret, 
secret, DH shared 
secret, Router Authentication 
key, PPP authentication key, 
SSH private key 

Perform Self-Tests 

Perform the FIPS 140 start-up tests on 
demand 

N/A 

r: read, w: write, x: execute, z: zeroize 

Table 5 - Crypto Officer Services 

 
 
 

2.3.3

 

Unauthenticated Services 

The services available to unauthenticated users are: 

 

Viewing the status output from the module’s LEDs 

 

Powering the module on and off using the power switch on the third-party chassis 

 

2.4

 

Physical Security 

This module is a multi-chip standalone cryptographic module.  
 
The FIPS 140-2 level 2 physical security requirements for the modules are met by the use of 
opacity shields covering the front panels of modules to provide the required opacity and tamper 
evident seals to provide the required tamper evidence.  The following sections illustrate the 
physical security provided by the module. 
 
The tamper evident labels and opacity shields shall be installed for the module to operate in a 
FIPS Approved mode of operation. The following table shows the number of tamper evident 
labels and opacity shields.  The CO is responsible for securing and having control at all times of 
any unused tamper evident labels. 
 

Model 

Tamper Evident Labels 

Opacity Shields 

7606-S 20 

7609-S 15 

N/A 

Table 6 – TELs 

2.4.1

 

Module Opacity 

To install an opacity shield on the module, follow these steps: 

1.

 

The opacity shield is designed to be installed on a Catalyst 7606-S chassis that is already 
rack-mounted. If your Cisco 7606-S chassis is not rack-mounted, install the chassis in the 

Summary of Contents for 7606-S

Page 1: ...document may be freely reproduced and distributed whole and intact including this Copyright Notice 1 Cisco 7606 S and 7609 S Routers with Supervisor SUP720 3B FIPS 140 2 Non Proprietary Security Policy Level 2 Validation Version 0 5 May 2011 ...

Page 2: ...ACES 6 2 3 ROLES AND SERVICES 8 2 3 1 Authentication 9 2 3 2 Services 9 a User Services 9 b Crypto Officer Services 10 2 3 3 Unauthenticated Services 11 2 4 PHYSICAL SECURITY 11 2 4 1 Module Opacity 11 2 4 2 Tamper Evidence 13 2 5 CRYPTOGRAPHIC ALGORITHMS 17 2 5 1 Approved Cryptographic Algorithms 17 2 5 2 Non FIPS Approved Algorithms Allowed in FIPS Mode 18 2 5 3 Non Approved Cryptographic Algori...

Page 3: ... modules More information about the FIPS 140 2 standard and validation program is available on the NIST website at http csrc nist gov groups STM index html 1 2 Module Validation Level The following table lists the level of validation for each area in the FIPS PUB 140 2 No Area Title Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles Services and Auth...

Page 4: ...system 1 5 Document Organization The Security Policy document is part of the FIPS 140 2 Submission Package In addition to this document the Submission Package contains Vendor Evidence document Finite State Machine Other supporting documentation as additional references This document provides an overview of the Cisco 7606 S and 7609 S Routers with Supervisor SUP720 3B and explains the secure config...

Page 5: ...gh e network ed es are necess rier Ethernet ge of IP vide al and busin work MAN he physical c hysical Char Figure 1 C ole and intact inc 5 s with Sup performanc dge where ro sary to meet t service pro eo and triple ness services N networking characteristic racteristics Cisco 7606 S R cluding this Copy pervisor S ce router desi obust perfor the requirem viders to dep e play voice markets Th g solut...

Page 6: ... oundary is il ity described dary The mo faces the followin hernet ports 1000 Etherne nsole port LEDs EDs LEDs ctFlash Type depicted in t nc d distributed who Figure 2 C defined as be llustrated in d in this publ odule incorpo ng interfaces et port e II slots dis the figures b ole and intact inc 6 Cisco 7609 S R ing the phys Figures 1 an lication is pr orates one or s sabled via TE below cluding t...

Page 7: ...su because a faul sequence All chassis en OK A minor hardw A major hardw The superviso The superviso cluding this Copy terfaces conveyed by n cs pass The su normal initializ or engine is boo normal initializ ic test includin upervisor engin lt occurred dur nvironmental m ware problem ware problem h or engine is ope or engine is in s yright Notice y the LEDs o upervisor engin zation sequence oting ...

Page 8: ...0 2 defined logical interfaces data input data output control input status output and power The logical interfaces and their mapping are described in the following table Router Physical Interface FIPS 140 2 Logical Interface Gigabit SFP Ethernet ports Console Port Data Input Interface Gigabit SFP Ethernet ports Console Port Data Output Interface Gigabit SFP Ethernet ports Console Port Control Inpu...

Page 9: ... has modulus size of 1024 bit to 2048 bit thus providing between 80 bits and 112 bits of strength Assuming the low end of that range an attacker would have a 1 in 280 chance of randomly obtaining the key which is much stronger than the one in a million chance required by FIPS 140 2 To exceed a one in 100 000 probability of a successful random key guess in one minute an attacker would have to be ca...

Page 10: ...er via the console port or via SSH session The Crypto Officer services consist of the following Services Access Description Keys CSPs Configure the router r w z Define network interfaces and settings create command aliases set the protocols the router will support enable interfaces and network services set system date and time and load authentication information User password Enable password RADIU...

Page 11: ...sical Security This module is a multi chip standalone cryptographic module The FIPS 140 2 level 2 physical security requirements for the modules are met by the use of opacity shields covering the front panels of modules to provide the required opacity and tamper evident seals to provide the required tamper evidence The following sections illustrate the physical security provided by the module The ...

Page 12: ...nap rivet sleeve before you install them Proceed to step 4 Note Extra snap rivet fasteners are included in the bag of installation hardware in case of loss or damage Start the two thumbscrews in the corresponding threaded holes in the opacity shield see Figure 5 two or three turns is sufficient Do not thread the thumbscrews too far into the opacity shield Open the envelope containing the disposabl...

Page 13: ...i and replace ove the 7606 opacity shiel alling the Opac y opacity shie nfigured to m thout signs zed tamper e ole and intact inc 13 hen using th eration as sp rements will will meet the ange the opa lity of overh the opacity s 6 S chassis fr ld installed t city Shield on elds meet overall of tamperin evidence lab cluding this Copy e opacity sh pecified by G l only be me short term o acity shield ...

Page 14: ... Copyright 2011 Cisco Systems Inc This document may be freely reproduced and distributed whole and intact including this Copyright Notice 14 11 13 14 15 1 2 7 8 10 ...

Page 15: ... Copyright 2011 Cisco Systems Inc This document may be freely reproduced and distributed whole and intact including this Copyright Notice 15 Figure 5 TEL placement for 7606 S 16 17 18 20 ...

Page 16: ... Copyright 2011 Cisco Systems Inc This document may be freely reproduced and distributed whole and intact including this Copyright Notice 16 1 9 10 11 ...

Page 17: ... intact including this Copyright Notice 17 Figure 6 TEL placement for 7609 S 2 5 Cryptographic Algorithms The module implements a variety of approved and non approved algorithms 2 5 1 Approved Cryptographic Algorithms The routers support the following FIPS 2 approved algorithm implementations 12 15 ...

Page 18: ...on approved cryptographic algorithms that shall not be used in FIPS mode of operation DES DES MAC MD5 MD4 HMAC MD5 Non Approved RNGs 2 6 Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords All keys and CSPs are also protected by the password protection provided by the crypto officer logins and can be zeroized...

Page 19: ...er which associates the key with the correct entity All other keys are associated with the user role that entered them The module supports the following keys and critical security parameters CSPs ID Algorithm Size Description Origin Storage Zeroization Method General Keys CSPs User password Password 8 characters Used to authenticate User role Configured by Crypto Officer NVRAM plaintext Zeroized b...

Page 20: ...y used to authenticate the module Generated or entered like any RSA key NVRAM plaintext Zeroized by either deletion via crypto key zeroize rsa or by overwriting with a new value of the key SSH session key Triple DES AES 3 key Triple DES 128 192 256 bits AES keys This is the symmetric SSH key used to protect SSH session Created as part of SSH session set up DRAM plaintext Zeroized automatically whe...

Page 21: ...mage should be loaded 2 The value of the boot field must be 0x0102 This setting disables break from the console to the ROM monitor and automatically boots the IOS image From the configure terminal command line the Crypto Officer enters the following syntax config register 0x0102 3 The Crypto Officer must create the enable password for the Crypto Officer role The password must be at least 8 charact...

Page 22: ...image onto the router is not allowed while in FIPS mode of operation 3 2 Protocols 1 SNMPv3 is allowed in FIPS mode of operation SNMPv3 uses FIPS approved cryptographic algorithms however from a FIPS perspective SNMPv3 is considered to be a plaintext session since the key derivation used as by SNMPv3 is not FIPS compliant 3 3 Remote Access 1 SSH access to the module is only allowed if SSH is confi...

Reviews:

No comments

Related manuals for 7606-S

Fortinet FortiAP S311C Quick Start Manual preview
FortiAP S311C
Brand: Fortinet Pages: 20
Optostar OP-8000-EDFA-1U Series Manual preview
OP-8000-EDFA-1U Series
Brand: Optostar Pages: 9
Supermicro AOC-MGP-i2 User Manual preview
AOC-MGP-i2
Brand: Supermicro Pages: 27
Comway 4G DTU Configuration Instructions preview
4G DTU
Brand: Comway Pages: 20
i-MO OptiBond 210 C Series Hardware Installation Manual preview
OptiBond 210 C Series
Brand: i-MO Pages: 16
LevelOne NetCon FBR-1409TX User Manual preview
NetCon FBR-1409TX
Brand: LevelOne Pages: 88
FOR-A USF-105PS Operation Manuals preview
USF-105PS
Brand: FOR-A Pages: 37
ADTRAN 1202880E1 Quick Start Manual preview
1202880E1
Brand: ADTRAN Pages: 4
Patton electronics OnSite 9100 Quick Start Manual preview
OnSite 9100
Brand: Patton electronics Pages: 8
Netstor NA762TB3 User Manual preview
NA762TB3
Brand: Netstor Pages: 17
Hamlet HRDSL108W Quick Installation Manual preview
HRDSL108W
Brand: Hamlet Pages: 6
Atlantis Land I-FLY A02-WRA4-54G (Italian) Specifications preview
I-FLY A02-WRA4-54G
Brand: Atlantis Land Pages: 3
Ryobi RTR18 Manual preview
RTR18
Brand: Ryobi Pages: 84
D-Link DSL-3590L Quick Installation Manual preview
DSL-3590L
Brand: D-Link Pages: 80
MikroTik AP Staging Manual preview
AP
Brand: MikroTik Pages: 7
D-Link DI-2621 Installation Manual preview
DI-2621
Brand: D-Link Pages: 30
D-Link DI-704GU Quick Installation Manual preview
DI-704GU
Brand: D-Link Pages: 23
D-Link DIR-601 Product Manual preview
DIR-601
Brand: D-Link Pages: 120

Brands by name

Popular brands

Load more brands