Cisco 1841 - 3G Bundle Router User Manual Download | Manualshive

Page: 1 / 28

background image

Corporate Headquarters:

© 2005 Cisco Systems, Inc. All rights reserved.

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Cisco 1841 Integrated Services Router with
AIM-VPN/BPII-Plus and Cisco 2801
Integrated Services Router with
AIM-VPN/EPII-Plus FIPS 140-2 Non
Proprietary Security Policy

Level 2 Validation

Version 1.3

December 14, 2005

Introduction

This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 1841
Integrated Services Routers with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Routers with
AIM-VPN/EPII-Plus. This security policy describes how the Cisco 1841 and Cisco 2801 Integrated
Services Routers (Hardware Version: 1841 or 2801; AIM-VPN/BPII-Plus Version: 1.0, Board Version:
C1; AIM-VPN/EPII-Plus Version: 1.0, Board Version: D0; Firmware Version: 12.3(11)T03) meet the
security requirements of FIPS 140-2, and how to operate the router in a secure FIPS 140-2 mode. This
policy was prepared as part of the Level 2 FIPS 140-2 validation of the Cisco 1841 and Cisco 2801
Integrated Services Routers.

FIPS 140-2 (Federal Information Processing Standards Publication 140-2—

Security Requirements for

Cryptographic Modules

) details the U.S. Government requirements for cryptographic modules. More

information about the FIPS 140-2 standard and validation program is available on the NIST website at

http://csrc.nist.gov/cryptval/

.

This document contains the following sections:

•

Introduction, page 1

•

Cisco 1841 and Cisco 2801 Routers, page 3

•

Secure Operation of the Cisco 1841 or Cisco 2801 router, page 21

•

Related Documentation, page 22

1
2
3
...
»

Summary of Contents for 1841 - 3G Bundle Router

Page 1: ...41 or 2801 AIM VPN BPII Plus Version 1 0 Board Version C1 AIM VPN EPII Plus Version 1 0 Board Version D0 Firmware Version 12 3 11 T03 meet the security requirements of FIPS 140 2 and how to operate the router in a secure FIPS 140 2 mode This policy was prepared as part of the Level 2 FIPS 140 2 validation of the Cisco 1841 and Cisco 2801 Integrated Services Routers FIPS 140 2 Federal Information P...

Page 2: ...st gov cryptval contains contact information for answers to technical or sales related questions for the module Terminology In this document the Cisco 1841 or Cisco 2801 routers are referred to as the router the module or the system Document Organization The Security Policy document is part of the FIPS 140 2 Submission Package In addition to this document the Submission Package contains Vendor Evi...

Page 3: ...d FPGA or the IOS software is used for cryptographic operations The cryptographic boundary of the module is the device s case shown in Figure 1 All of the functionality discussed in this document is provided by components within this cryptographic boundary The interface for the router is located on the rear panel as shown in Figure 2 Figure 2 Cisco 1841 Rear Panel Physical Interfaces The Cisco 184...

Page 4: ...e 3 describes the meaning of Ethernet LEDs on the rear panel Table 1 Cisco 1841 Front Panel Indicators Name State Description System OK Solid Green Blinking Green Router has successfully booted up and the software is functional Booting or in ROM monitor ROMMON mode System Activity Solid Green Blinking Green Off System is actively transferring packets System is servicing interrupts No interrupts or...

Page 5: ...ull Duplex Half Duplex Speed Solid Green Off 100 Mbps 10 Mbps Link Solid Green Off Ethernet link is established No link established Table 4 Cisco 1841 FIPS 140 2 Logical Interfaces Router Physical Interface FIPS 140 2 Logical Interface 10 100 Ethernet LAN Ports HWIC WIC VIC Ports Console Port Auxiliary Port Data Input Interface 10 100 Ethernet LAN Ports HWIC WIC VIC Ports Console Port Auxiliary Po...

Page 6: ...le Physical Characteristics Figure 3 The Cisco 2801 router case The Cisco 2801 router is a multiple chip standalone cryptographic module The router has a processing speed of 240MHz Depending on configuration either the installed AIM VPN BPII Plus module onboard FPGA or the IOS software is used for cryptographic operations The cryptographic boundary of the module is the device s case Figure 3 All o...

Page 7: ...the power inlet and on off switch The front panel contains the following 1 VIC slot 2 HWIC WIC VIC slot 0 3 WIC VIC slot 4 HWIC WIC VIC slot 1 5 Console port 6 FE ports 7 System status and activity LEDs 8 Inline power LED 9 USB port 10 FE LEDs 11 Auxiliary port 12 CF LED 13 CF drive The rear panel contains the following 1 Power inlet 2 Power switch 3 Ground connector Table 5 provides more detailed...

Page 8: ... Orange Off PVDM0 installed and initialized PVDM0 installed and initialized error PVDM0 not installed AIM1 Solid Green Solid Orange Off AIM1 installed and initialized AIM1 installed and initialized error AIM1 not installed AIM0 Solid Green Solid Orange Off AIM0 installed and initialized AIM0 installed and initialized error AIM0 not installed Table 5 Cisco 2801 Front Panel Indicators Continued Tabl...

Page 9: ... roles in the router that operators can assume the Crypto Officer role and the User role The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services while the Users exercise only the basic User services The module supports RADIUS and TACACS for authentication A complete description of all the management and configurati...

Page 10: ... interfaces and network services set system date and time and load authentication information Define Rules and Filters Create packet Filters that are applied to User data streams on each interface Each Filter consists of a set of Rules which define a set of packets to permit or deny based on characteristics such as protocol ID addresses ports TCP connection establishment or packet direction View S...

Page 11: ... the enclosure and the other half covers the port adapter slot Step 4 The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the rear panel Step 5 The labels completely cure within five minutes Figure 6 and Figure 7 show the tamper evidence label placements for the Cisco 1841 Figure 6 Cisco 1841 Tamper Evident Label Placement Bac...

Page 12: ...age the tamper evidence seals or the material of the module cover Since the tamper evidence seals have non repeated serial numbers they can be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered Tamper evidence seals can also be inspected for signs of tampering which include the following curled corners bubbling crinkling rips tears ...

Page 13: ...ing are not FIPS 140 2 approved algorithms RC4 MD5 HMAC MD5 RSA and DH however again DH is allowed for use in key establishment The module contains a HiFn 7814 W cryptographic accelerator chip integrated in the AIM card Unless the AIM card is disabled by the Crypto Officer with the no crypto engine aim command the HiFn 7814 W provides AES 128 bit 192 bit and 256 bit DES 56 bit for legacy use only ...

Page 14: ...n in NVRAM in order to completely zeroize the keys The following commands will zeroize the pre shared keys from the DRAM no crypto isakmp key key string address peer address no crypto isakmp key key string hostname peer hostname The DRAM running configuration must be copied to the start up configuration in NVRAM in order to completely zeroize the keys The module supports the following keys and cri...

Page 15: ...ID generation This key is embedded in the module binary image and can be deleted by erasing the Flash NVRAM plaintext Deleted by erasing the flash IPSec encryption key DES TDES AES The IPSec encryption key Zeroized when IPSec session is terminated DRAM plaintext Automatically when IPSec session terminated IPSec authentication key HMAC SHA 1 The IPSec authentication key The zeroization is the same ...

Page 16: ...red Secret The password of the User role This password is zeroized by overwriting it with a new password NVRAM plaintext Overwrite with new password Enable password Shared Secret The plaintext password of the CO role This password is zeroized by overwriting it with a new password NVRAM plaintext Overwrite with new password Enable secret Shared Secret The ciphertext password of the CO role However ...

Page 17: ...ervice Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions Bypass Change WAN Interface Cards Security Relevant Data Item PRNG Seed r d r w d DH private exponent r r w d DH public key r r w d skeyid r r w d skeyid_d r r w d sk...

Page 18: ...Authentication key r d r w Router authentication key 2 r r w d SSH session key r r w d User password r r w d Enable password r w d Table 9 Role and Service Access to CSP Continued Note An enpty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI Role Service Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory S...

Page 19: ...iodically or conditionally include a bypass mode test performed conditionally prior to executing IPSec and a continuous random number generator test If any of the self tests fail the router transitions into an error state In the error state all secure data transmission is halted and the router outputs status information indicating the failure Examples of the errors that cause the system to transit...

Page 20: ...er Test SHA 1 Known Answer Test DES Known Answer Test 3DES Known Answer Test Conditional tests Conditional bypass test Continuous random number generation test Self tests performed by the Onboard FPGA FPGA Self Tests POST tests AES Known Answer Test Firmware integrity test HMAC SHA 1 Known Answer Test SHA 1 Known Answer Test DES Known Answer Test 3DES Known Answer Test Self tests performed by AIM ...

Page 21: ...e without the password will not be possible System Initialization and Configuration The Crypto Officer must perform the initial configuration IOS version 12 3 11 T03 Advanced Security build advsecurity is the only allowable image no other image should be loaded The value of the boot field must be 0x0102 This setting disables break from the console to the ROM monitor and automatically boots the IOS...

Page 22: ...y gets are allowed under SNMP v2C SSL is not an approved protocol and shall not be used in FIPS mode of operations Remote Access Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec using FIPS approved algorithms Note that all us...

Page 23: ...literature are available in the Product Documentation DVD package which may have shipped with your product The Product Documentation DVD is updated regularly and may be more current than printed documentation The Product Documentation DVD is a comprehensive library of technical product documentation on portable media The DVD enables you to access multiple versions of hardware and software installa...

Page 24: ... Cisco provides a free online Security Vulnerability Policy portal at this URL http www cisco com en US products products_security_vulnerability_policy html From this site you can perform these tasks Report security vulnerabilities in Cisco products Obtain assistance with security incidents that involve Cisco products Register to receive security information from Cisco A current list of security a...

Page 25: ... not have a valid Cisco service contract contact your reseller Cisco Technical Support Documentation Website The Cisco Technical Support Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day at this URL http www cisco com techsupport Access to all tools on the Cisco T...

Page 26: ...st of Cisco TAC contacts go to this URL http www cisco com techsupport contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format Cisco has established severity definitions Severity 1 S1 Your network is down or there is a critical impact to your business operations You and Cisco will commit all necessary resources around the clock to reso...

Page 27: ...ue streamline their business and expand services The publication identifies the challenges facing these companies and the technologies to help solve them using real world case studies and business strategies to help readers make sound technology investment decisions You can access iQ Magazine at this URL http www cisco com go iqmagazine or view the digital edition at this URL http ciscoiq texterit...

Page 28: ...ogo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Empowering the Internet Generation Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step FormShare GigaDrive GigaStack HomeLink Internet Quotient IOS IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard LightStream Linksys MeetingPlace MGX the Networkers logo Networking Academy Network Re...

Reviews:

No comments

Related manuals for 1841 - 3G Bundle Router

Brand: D-Linke Pages: 32

Brand: Hama Pages: 10

Brand: Lanpro Pages: 5

Brand: TP-Link Pages: 3

NI WLS/ENET-9163

Brand: National Instruments Pages: 36

Brand: Tripp Lite Pages: 3

Brand: Netis Pages: 16

Brand: StarTech.com Pages: 9

Brand: LevelOne Pages: 3

Brand: Hama Pages: 25

Brand: Infoblox Pages: 16

Brand: RadioSPECTRAL Pages: 2

Brand: Hitachi Pages: 14

Brand: Hitachi Pages: 21

Brand: Hitachi Pages: 34

Brand: Hitachi Pages: 39

SJ/L-EN Ethernet Communications Module

Brand: Hitachi Pages: 36

GR2000-B Series

Brand: Hitachi Pages: 48

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands