Cisco 7606-S User Manual Download Page 9 | Manualshive

Page: 9 / 22

background image

© Copyright 2011 Cisco Systems, Inc.

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

9

2.3.1

Authentication

The module provides password based and digital signature based authentication. Crypto Officers
are always authenticated using passwords whereas a User can be authenticated either via a
password or digital signature.

a. Password based Authentication

The security policy stipulates that all user passwords and shared secrets must be 8 alphanumeric
characters, so the password space is 2.8 trillion possible passwords. The possibility of randomly
guessing a password is thus far less than one in one million. To exceed a one in 100,000
probability of a successful random password guess in one minute, an attacker would have to be
capable of 28 million password attempts per minute, which far exceeds the operational
capabilities of the module to support.

b. Digital signature based Authentication

When using RSA based authentication, RSA key pair has modulus size of 1024 bit to 2048 bit,
thus providing between 80 bits and 112 bits of strength. Assuming the low end of that range, an
attacker would have a 1 in 2

80

chance of randomly obtaining the key, which is much stronger

than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability
of a successful random key guess in one minute, an attacker would have to be capable of
approximately 1.8x10

21

attempts per minute, which far exceeds the operational capabilities of the

modules to support.

2.3.2

Services

a. User Services

Users can access the system via the console port with a terminal program or SSH session to an
Ethernet port. The IOS prompts the User for username and password. If the password is correct,
the User is allowed entry to the IOS executive program. In addition to username/password
combination, RSA digital certificates can be used to authenticate the user over the SSH session.

The services available to the User role consist of the following:

Services &
Access

Description

Keys & CSPs

Status Functions
(r, x)

View state of interfaces and protocols,
version of IOS currently running.

User password

Network

Connect to other network devices

DRBG seed, DRBG V, DH

«
...
7
8
9
10
11
...
»

Summary of Contents for 7606-S

Page 1: ...document may be freely reproduced and distributed whole and intact including this Copyright Notice 1 Cisco 7606 S and 7609 S Routers with Supervisor SUP720 3B FIPS 140 2 Non Proprietary Security Policy Level 2 Validation Version 0 5 May 2011 ...

Page 2: ...ACES 6 2 3 ROLES AND SERVICES 8 2 3 1 Authentication 9 2 3 2 Services 9 a User Services 9 b Crypto Officer Services 10 2 3 3 Unauthenticated Services 11 2 4 PHYSICAL SECURITY 11 2 4 1 Module Opacity 11 2 4 2 Tamper Evidence 13 2 5 CRYPTOGRAPHIC ALGORITHMS 17 2 5 1 Approved Cryptographic Algorithms 17 2 5 2 Non FIPS Approved Algorithms Allowed in FIPS Mode 18 2 5 3 Non Approved Cryptographic Algori...

Page 3: ... modules More information about the FIPS 140 2 standard and validation program is available on the NIST website at http csrc nist gov groups STM index html 1 2 Module Validation Level The following table lists the level of validation for each area in the FIPS PUB 140 2 No Area Title Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles Services and Auth...

Page 4: ...system 1 5 Document Organization The Security Policy document is part of the FIPS 140 2 Submission Package In addition to this document the Submission Package contains Vendor Evidence document Finite State Machine Other supporting documentation as additional references This document provides an overview of the Cisco 7606 S and 7609 S Routers with Supervisor SUP720 3B and explains the secure config...

Page 5: ...gh e network ed es are necess rier Ethernet ge of IP vide al and busin work MAN he physical c hysical Char Figure 1 C ole and intact inc 5 s with Sup performanc dge where ro sary to meet t service pro eo and triple ness services N networking characteristic racteristics Cisco 7606 S R cluding this Copy pervisor S ce router desi obust perfor the requirem viders to dep e play voice markets Th g solut...

Page 6: ... oundary is il ity described dary The mo faces the followin hernet ports 1000 Etherne nsole port LEDs EDs LEDs ctFlash Type depicted in t nc d distributed who Figure 2 C defined as be llustrated in d in this publ odule incorpo ng interfaces et port e II slots dis the figures b ole and intact inc 6 Cisco 7609 S R ing the phys Figures 1 an lication is pr orates one or s sabled via TE below cluding t...

Page 7: ...su because a faul sequence All chassis en OK A minor hardw A major hardw The superviso The superviso cluding this Copy terfaces conveyed by n cs pass The su normal initializ or engine is boo normal initializ ic test includin upervisor engin lt occurred dur nvironmental m ware problem ware problem h or engine is ope or engine is in s yright Notice y the LEDs o upervisor engin zation sequence oting ...

Page 8: ...0 2 defined logical interfaces data input data output control input status output and power The logical interfaces and their mapping are described in the following table Router Physical Interface FIPS 140 2 Logical Interface Gigabit SFP Ethernet ports Console Port Data Input Interface Gigabit SFP Ethernet ports Console Port Data Output Interface Gigabit SFP Ethernet ports Console Port Control Inpu...

Page 9: ... has modulus size of 1024 bit to 2048 bit thus providing between 80 bits and 112 bits of strength Assuming the low end of that range an attacker would have a 1 in 280 chance of randomly obtaining the key which is much stronger than the one in a million chance required by FIPS 140 2 To exceed a one in 100 000 probability of a successful random key guess in one minute an attacker would have to be ca...

Page 10: ...er via the console port or via SSH session The Crypto Officer services consist of the following Services Access Description Keys CSPs Configure the router r w z Define network interfaces and settings create command aliases set the protocols the router will support enable interfaces and network services set system date and time and load authentication information User password Enable password RADIU...

Page 11: ...sical Security This module is a multi chip standalone cryptographic module The FIPS 140 2 level 2 physical security requirements for the modules are met by the use of opacity shields covering the front panels of modules to provide the required opacity and tamper evident seals to provide the required tamper evidence The following sections illustrate the physical security provided by the module The ...

Page 12: ...nap rivet sleeve before you install them Proceed to step 4 Note Extra snap rivet fasteners are included in the bag of installation hardware in case of loss or damage Start the two thumbscrews in the corresponding threaded holes in the opacity shield see Figure 5 two or three turns is sufficient Do not thread the thumbscrews too far into the opacity shield Open the envelope containing the disposabl...

Page 13: ...i and replace ove the 7606 opacity shiel alling the Opac y opacity shie nfigured to m thout signs zed tamper e ole and intact inc 13 hen using th eration as sp rements will will meet the ange the opa lity of overh the opacity s 6 S chassis fr ld installed t city Shield on elds meet overall of tamperin evidence lab cluding this Copy e opacity sh pecified by G l only be me short term o acity shield ...

Page 14: ... Copyright 2011 Cisco Systems Inc This document may be freely reproduced and distributed whole and intact including this Copyright Notice 14 11 13 14 15 1 2 7 8 10 ...

Page 15: ... Copyright 2011 Cisco Systems Inc This document may be freely reproduced and distributed whole and intact including this Copyright Notice 15 Figure 5 TEL placement for 7606 S 16 17 18 20 ...

Page 16: ... Copyright 2011 Cisco Systems Inc This document may be freely reproduced and distributed whole and intact including this Copyright Notice 16 1 9 10 11 ...

Page 17: ... intact including this Copyright Notice 17 Figure 6 TEL placement for 7609 S 2 5 Cryptographic Algorithms The module implements a variety of approved and non approved algorithms 2 5 1 Approved Cryptographic Algorithms The routers support the following FIPS 2 approved algorithm implementations 12 15 ...

Page 18: ...on approved cryptographic algorithms that shall not be used in FIPS mode of operation DES DES MAC MD5 MD4 HMAC MD5 Non Approved RNGs 2 6 Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords All keys and CSPs are also protected by the password protection provided by the crypto officer logins and can be zeroized...

Page 19: ...er which associates the key with the correct entity All other keys are associated with the user role that entered them The module supports the following keys and critical security parameters CSPs ID Algorithm Size Description Origin Storage Zeroization Method General Keys CSPs User password Password 8 characters Used to authenticate User role Configured by Crypto Officer NVRAM plaintext Zeroized b...

Page 20: ...y used to authenticate the module Generated or entered like any RSA key NVRAM plaintext Zeroized by either deletion via crypto key zeroize rsa or by overwriting with a new value of the key SSH session key Triple DES AES 3 key Triple DES 128 192 256 bits AES keys This is the symmetric SSH key used to protect SSH session Created as part of SSH session set up DRAM plaintext Zeroized automatically whe...

Page 21: ...mage should be loaded 2 The value of the boot field must be 0x0102 This setting disables break from the console to the ROM monitor and automatically boots the IOS image From the configure terminal command line the Crypto Officer enters the following syntax config register 0x0102 3 The Crypto Officer must create the enable password for the Crypto Officer role The password must be at least 8 charact...

Page 22: ...image onto the router is not allowed while in FIPS mode of operation 3 2 Protocols 1 SNMPv3 is allowed in FIPS mode of operation SNMPv3 uses FIPS approved cryptographic algorithms however from a FIPS perspective SNMPv3 is considered to be a plaintext session since the key derivation used as by SNMPv3 is not FIPS compliant 3 3 Remote Access 1 SSH access to the module is only allowed if SSH is confi...

Reviews:

No comments

Related manuals for 7606-S

Brand: Valcom Pages: 3

Brand: Valcom Pages: 4

Brand: Salto Pages: 2

DSL5068EN(1T1R)

Brand: Aztech Pages: 40

Brand: Juniper Pages: 825

Brand: NetComm Pages: 69

AyrMesh IndoorAP

Brand: AYRSTONE Pages: 2

Brand: Eneo Pages: 68

Brand: ICP DAS USA Pages: 8

Brand: IDT Pages: 292

LMP-1202M-SFP Series

Brand: ANTAIRA Pages: 2

iMarc SLV 9820-2M

Brand: Paradyne Pages: 24

Brand: Planet Pages: 20

HomePNA PCI Adapter

Brand: City-Netek Pages: 18

Brand: FiberHome Pages: 44

Brand: Matrix Switch Corporation Pages: 48

Brand: Premio Pages: 2

Brand: R.V.R. Elettronica Pages: 171

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands