background image

© Copyright 2011 Cisco Systems, Inc. 

 

 

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  

 
 
 

16

  

1-9 

10-11 

Summary of Contents for 7606-S

Page 1: ...document may be freely reproduced and distributed whole and intact including this Copyright Notice 1 Cisco 7606 S and 7609 S Routers with Supervisor SUP720 3B FIPS 140 2 Non Proprietary Security Policy Level 2 Validation Version 0 5 May 2011 ...

Page 2: ...ACES 6 2 3 ROLES AND SERVICES 8 2 3 1 Authentication 9 2 3 2 Services 9 a User Services 9 b Crypto Officer Services 10 2 3 3 Unauthenticated Services 11 2 4 PHYSICAL SECURITY 11 2 4 1 Module Opacity 11 2 4 2 Tamper Evidence 13 2 5 CRYPTOGRAPHIC ALGORITHMS 17 2 5 1 Approved Cryptographic Algorithms 17 2 5 2 Non FIPS Approved Algorithms Allowed in FIPS Mode 18 2 5 3 Non Approved Cryptographic Algori...

Page 3: ... modules More information about the FIPS 140 2 standard and validation program is available on the NIST website at http csrc nist gov groups STM index html 1 2 Module Validation Level The following table lists the level of validation for each area in the FIPS PUB 140 2 No Area Title Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles Services and Auth...

Page 4: ...system 1 5 Document Organization The Security Policy document is part of the FIPS 140 2 Submission Package In addition to this document the Submission Package contains Vendor Evidence document Finite State Machine Other supporting documentation as additional references This document provides an overview of the Cisco 7606 S and 7609 S Routers with Supervisor SUP720 3B and explains the secure config...

Page 5: ...gh e network ed es are necess rier Ethernet ge of IP vide al and busin work MAN he physical c hysical Char Figure 1 C ole and intact inc 5 s with Sup performanc dge where ro sary to meet t service pro eo and triple ness services N networking characteristic racteristics Cisco 7606 S R cluding this Copy pervisor S ce router desi obust perfor the requirem viders to dep e play voice markets Th g solut...

Page 6: ... oundary is il ity described dary The mo faces the followin hernet ports 1000 Etherne nsole port LEDs EDs LEDs ctFlash Type depicted in t nc d distributed who Figure 2 C defined as be llustrated in d in this publ odule incorpo ng interfaces et port e II slots dis the figures b ole and intact inc 6 Cisco 7609 S R ing the phys Figures 1 an lication is pr orates one or s sabled via TE below cluding t...

Page 7: ...su because a faul sequence All chassis en OK A minor hardw A major hardw The superviso The superviso cluding this Copy terfaces conveyed by n cs pass The su normal initializ or engine is boo normal initializ ic test includin upervisor engin lt occurred dur nvironmental m ware problem ware problem h or engine is ope or engine is in s yright Notice y the LEDs o upervisor engin zation sequence oting ...

Page 8: ...0 2 defined logical interfaces data input data output control input status output and power The logical interfaces and their mapping are described in the following table Router Physical Interface FIPS 140 2 Logical Interface Gigabit SFP Ethernet ports Console Port Data Input Interface Gigabit SFP Ethernet ports Console Port Data Output Interface Gigabit SFP Ethernet ports Console Port Control Inpu...

Page 9: ... has modulus size of 1024 bit to 2048 bit thus providing between 80 bits and 112 bits of strength Assuming the low end of that range an attacker would have a 1 in 280 chance of randomly obtaining the key which is much stronger than the one in a million chance required by FIPS 140 2 To exceed a one in 100 000 probability of a successful random key guess in one minute an attacker would have to be ca...

Page 10: ...er via the console port or via SSH session The Crypto Officer services consist of the following Services Access Description Keys CSPs Configure the router r w z Define network interfaces and settings create command aliases set the protocols the router will support enable interfaces and network services set system date and time and load authentication information User password Enable password RADIU...

Page 11: ...sical Security This module is a multi chip standalone cryptographic module The FIPS 140 2 level 2 physical security requirements for the modules are met by the use of opacity shields covering the front panels of modules to provide the required opacity and tamper evident seals to provide the required tamper evidence The following sections illustrate the physical security provided by the module The ...

Page 12: ...nap rivet sleeve before you install them Proceed to step 4 Note Extra snap rivet fasteners are included in the bag of installation hardware in case of loss or damage Start the two thumbscrews in the corresponding threaded holes in the opacity shield see Figure 5 two or three turns is sufficient Do not thread the thumbscrews too far into the opacity shield Open the envelope containing the disposabl...

Page 13: ...i and replace ove the 7606 opacity shiel alling the Opac y opacity shie nfigured to m thout signs zed tamper e ole and intact inc 13 hen using th eration as sp rements will will meet the ange the opa lity of overh the opacity s 6 S chassis fr ld installed t city Shield on elds meet overall of tamperin evidence lab cluding this Copy e opacity sh pecified by G l only be me short term o acity shield ...

Page 14: ... Copyright 2011 Cisco Systems Inc This document may be freely reproduced and distributed whole and intact including this Copyright Notice 14 11 13 14 15 1 2 7 8 10 ...

Page 15: ... Copyright 2011 Cisco Systems Inc This document may be freely reproduced and distributed whole and intact including this Copyright Notice 15 Figure 5 TEL placement for 7606 S 16 17 18 20 ...

Page 16: ... Copyright 2011 Cisco Systems Inc This document may be freely reproduced and distributed whole and intact including this Copyright Notice 16 1 9 10 11 ...

Page 17: ... intact including this Copyright Notice 17 Figure 6 TEL placement for 7609 S 2 5 Cryptographic Algorithms The module implements a variety of approved and non approved algorithms 2 5 1 Approved Cryptographic Algorithms The routers support the following FIPS 2 approved algorithm implementations 12 15 ...

Page 18: ...on approved cryptographic algorithms that shall not be used in FIPS mode of operation DES DES MAC MD5 MD4 HMAC MD5 Non Approved RNGs 2 6 Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords All keys and CSPs are also protected by the password protection provided by the crypto officer logins and can be zeroized...

Page 19: ...er which associates the key with the correct entity All other keys are associated with the user role that entered them The module supports the following keys and critical security parameters CSPs ID Algorithm Size Description Origin Storage Zeroization Method General Keys CSPs User password Password 8 characters Used to authenticate User role Configured by Crypto Officer NVRAM plaintext Zeroized b...

Page 20: ...y used to authenticate the module Generated or entered like any RSA key NVRAM plaintext Zeroized by either deletion via crypto key zeroize rsa or by overwriting with a new value of the key SSH session key Triple DES AES 3 key Triple DES 128 192 256 bits AES keys This is the symmetric SSH key used to protect SSH session Created as part of SSH session set up DRAM plaintext Zeroized automatically whe...

Page 21: ...mage should be loaded 2 The value of the boot field must be 0x0102 This setting disables break from the console to the ROM monitor and automatically boots the IOS image From the configure terminal command line the Crypto Officer enters the following syntax config register 0x0102 3 The Crypto Officer must create the enable password for the Crypto Officer role The password must be at least 8 charact...

Page 22: ...image onto the router is not allowed while in FIPS mode of operation 3 2 Protocols 1 SNMPv3 is allowed in FIPS mode of operation SNMPv3 uses FIPS approved cryptographic algorithms however from a FIPS perspective SNMPv3 is considered to be a plaintext session since the key derivation used as by SNMPv3 is not FIPS compliant 3 3 Remote Access 1 SSH access to the module is only allowed if SSH is confi...

Reviews: