Cisco 1841 - 3G Bundle Router Скачать руководство пользователя

Страница: 8 / 28

Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus

OL-8719-01

Cisco 1841 and Cisco 2801 Routers

Table 6

describes the meaning of Ethernet LEDs on the front panel:

The physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the

Table 7

Compact Flash

Solid Green

Off

Indicates that the flash is busy and should not be removed.

OK to remove flash card.

PVDM1

Solid Green

Solid Orange

Off

PVDM1 installed and initialized.

PVDM1 installed and initialized error.

PVDM1 not installed.

PVDM0

Solid Green

Solid Orange

Off

PVDM0 installed and initialized.

PVDM0 installed and initialized error.

PVDM0 not installed.

AIM1

Solid Green

Solid Orange

Off

AIM1 installed and initialized.

AIM1 installed and initialized error.

AIM1 not installed.

AIM0

Solid Green

Solid Orange

Off

AIM0 installed and initialized.

AIM0 installed and initialized error.

AIM0 not installed.

Table 5

Cisco 2801 Front Panel Indicators (Continued)

Table 6

Cisco 2801 Ethernet Indicators

Name

State

Description

Duplex

Solid Green

Off

Full-Duplex

Half-Duplex

Speed

Solid Green

Off

100 Mbps

10 Mbps

Link

Solid Green

Off

Ethernet link is established

No link established

Table 7

Cisco 2801 FIPS 140-2 Logical Interfaces

Router Physical Interface

FIPS 140-2 Logical Interface

10/100 Ethernet LAN Ports

HWIC/WIC/VIC Ports

Console Port

Auxiliary Port

Data Input Interface

Содержание 1841 - 3G Bundle Router

Страница 1: ...41 or 2801 AIM VPN BPII Plus Version 1 0 Board Version C1 AIM VPN EPII Plus Version 1 0 Board Version D0 Firmware Version 12 3 11 T03 meet the security requirements of FIPS 140 2 and how to operate the router in a secure FIPS 140 2 mode This policy was prepared as part of the Level 2 FIPS 140 2 validation of the Cisco 1841 and Cisco 2801 Integrated Services Routers FIPS 140 2 Federal Information P...

Страница 2: ...st gov cryptval contains contact information for answers to technical or sales related questions for the module Terminology In this document the Cisco 1841 or Cisco 2801 routers are referred to as the router the module or the system Document Organization The Security Policy document is part of the FIPS 140 2 Submission Package In addition to this document the Submission Package contains Vendor Evi...

Страница 3: ...d FPGA or the IOS software is used for cryptographic operations The cryptographic boundary of the module is the device s case shown in Figure 1 All of the functionality discussed in this document is provided by components within this cryptographic boundary The interface for the router is located on the rear panel as shown in Figure 2 Figure 2 Cisco 1841 Rear Panel Physical Interfaces The Cisco 184...

Страница 4: ...e 3 describes the meaning of Ethernet LEDs on the rear panel Table 1 Cisco 1841 Front Panel Indicators Name State Description System OK Solid Green Blinking Green Router has successfully booted up and the software is functional Booting or in ROM monitor ROMMON mode System Activity Solid Green Blinking Green Off System is actively transferring packets System is servicing interrupts No interrupts or...

Страница 5: ...ull Duplex Half Duplex Speed Solid Green Off 100 Mbps 10 Mbps Link Solid Green Off Ethernet link is established No link established Table 4 Cisco 1841 FIPS 140 2 Logical Interfaces Router Physical Interface FIPS 140 2 Logical Interface 10 100 Ethernet LAN Ports HWIC WIC VIC Ports Console Port Auxiliary Port Data Input Interface 10 100 Ethernet LAN Ports HWIC WIC VIC Ports Console Port Auxiliary Po...

Страница 6: ...le Physical Characteristics Figure 3 The Cisco 2801 router case The Cisco 2801 router is a multiple chip standalone cryptographic module The router has a processing speed of 240MHz Depending on configuration either the installed AIM VPN BPII Plus module onboard FPGA or the IOS software is used for cryptographic operations The cryptographic boundary of the module is the device s case Figure 3 All o...

Страница 7: ...the power inlet and on off switch The front panel contains the following 1 VIC slot 2 HWIC WIC VIC slot 0 3 WIC VIC slot 4 HWIC WIC VIC slot 1 5 Console port 6 FE ports 7 System status and activity LEDs 8 Inline power LED 9 USB port 10 FE LEDs 11 Auxiliary port 12 CF LED 13 CF drive The rear panel contains the following 1 Power inlet 2 Power switch 3 Ground connector Table 5 provides more detailed...

Страница 8: ... Orange Off PVDM0 installed and initialized PVDM0 installed and initialized error PVDM0 not installed AIM1 Solid Green Solid Orange Off AIM1 installed and initialized AIM1 installed and initialized error AIM1 not installed AIM0 Solid Green Solid Orange Off AIM0 installed and initialized AIM0 installed and initialized error AIM0 not installed Table 5 Cisco 2801 Front Panel Indicators Continued Tabl...

Страница 9: ... roles in the router that operators can assume the Crypto Officer role and the User role The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services while the Users exercise only the basic User services The module supports RADIUS and TACACS for authentication A complete description of all the management and configurati...

Страница 10: ... interfaces and network services set system date and time and load authentication information Define Rules and Filters Create packet Filters that are applied to User data streams on each interface Each Filter consists of a set of Rules which define a set of packets to permit or deny based on characteristics such as protocol ID addresses ports TCP connection establishment or packet direction View S...

Страница 11: ... the enclosure and the other half covers the port adapter slot Step 4 The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the rear panel Step 5 The labels completely cure within five minutes Figure 6 and Figure 7 show the tamper evidence label placements for the Cisco 1841 Figure 6 Cisco 1841 Tamper Evident Label Placement Bac...

Страница 12: ...age the tamper evidence seals or the material of the module cover Since the tamper evidence seals have non repeated serial numbers they can be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered Tamper evidence seals can also be inspected for signs of tampering which include the following curled corners bubbling crinkling rips tears ...

Страница 13: ...ing are not FIPS 140 2 approved algorithms RC4 MD5 HMAC MD5 RSA and DH however again DH is allowed for use in key establishment The module contains a HiFn 7814 W cryptographic accelerator chip integrated in the AIM card Unless the AIM card is disabled by the Crypto Officer with the no crypto engine aim command the HiFn 7814 W provides AES 128 bit 192 bit and 256 bit DES 56 bit for legacy use only ...

Страница 14: ...n in NVRAM in order to completely zeroize the keys The following commands will zeroize the pre shared keys from the DRAM no crypto isakmp key key string address peer address no crypto isakmp key key string hostname peer hostname The DRAM running configuration must be copied to the start up configuration in NVRAM in order to completely zeroize the keys The module supports the following keys and cri...

Страница 15: ...ID generation This key is embedded in the module binary image and can be deleted by erasing the Flash NVRAM plaintext Deleted by erasing the flash IPSec encryption key DES TDES AES The IPSec encryption key Zeroized when IPSec session is terminated DRAM plaintext Automatically when IPSec session terminated IPSec authentication key HMAC SHA 1 The IPSec authentication key The zeroization is the same ...

Страница 16: ...red Secret The password of the User role This password is zeroized by overwriting it with a new password NVRAM plaintext Overwrite with new password Enable password Shared Secret The plaintext password of the CO role This password is zeroized by overwriting it with a new password NVRAM plaintext Overwrite with new password Enable secret Shared Secret The ciphertext password of the CO role However ...

Страница 17: ...ervice Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions Bypass Change WAN Interface Cards Security Relevant Data Item PRNG Seed r d r w d DH private exponent r r w d DH public key r r w d skeyid r r w d skeyid_d r r w d sk...

Страница 18: ...Authentication key r d r w Router authentication key 2 r r w d SSH session key r r w d User password r r w d Enable password r w d Table 9 Role and Service Access to CSP Continued Note An enpty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI Role Service Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory S...

Страница 19: ...iodically or conditionally include a bypass mode test performed conditionally prior to executing IPSec and a continuous random number generator test If any of the self tests fail the router transitions into an error state In the error state all secure data transmission is halted and the router outputs status information indicating the failure Examples of the errors that cause the system to transit...

Страница 20: ...er Test SHA 1 Known Answer Test DES Known Answer Test 3DES Known Answer Test Conditional tests Conditional bypass test Continuous random number generation test Self tests performed by the Onboard FPGA FPGA Self Tests POST tests AES Known Answer Test Firmware integrity test HMAC SHA 1 Known Answer Test SHA 1 Known Answer Test DES Known Answer Test 3DES Known Answer Test Self tests performed by AIM ...

Страница 21: ...e without the password will not be possible System Initialization and Configuration The Crypto Officer must perform the initial configuration IOS version 12 3 11 T03 Advanced Security build advsecurity is the only allowable image no other image should be loaded The value of the boot field must be 0x0102 This setting disables break from the console to the ROM monitor and automatically boots the IOS...

Страница 22: ...y gets are allowed under SNMP v2C SSL is not an approved protocol and shall not be used in FIPS mode of operations Remote Access Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec using FIPS approved algorithms Note that all us...

Страница 23: ...literature are available in the Product Documentation DVD package which may have shipped with your product The Product Documentation DVD is updated regularly and may be more current than printed documentation The Product Documentation DVD is a comprehensive library of technical product documentation on portable media The DVD enables you to access multiple versions of hardware and software installa...

Страница 24: ... Cisco provides a free online Security Vulnerability Policy portal at this URL http www cisco com en US products products_security_vulnerability_policy html From this site you can perform these tasks Report security vulnerabilities in Cisco products Obtain assistance with security incidents that involve Cisco products Register to receive security information from Cisco A current list of security a...

Страница 25: ... not have a valid Cisco service contract contact your reseller Cisco Technical Support Documentation Website The Cisco Technical Support Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day at this URL http www cisco com techsupport Access to all tools on the Cisco T...

Страница 26: ...st of Cisco TAC contacts go to this URL http www cisco com techsupport contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format Cisco has established severity definitions Severity 1 S1 Your network is down or there is a critical impact to your business operations You and Cisco will commit all necessary resources around the clock to reso...

Страница 27: ...ue streamline their business and expand services The publication identifies the challenges facing these companies and the technologies to help solve them using real world case studies and business strategies to help readers make sound technology investment decisions You can access iQ Magazine at this URL http www cisco com go iqmagazine or view the digital edition at this URL http ciscoiq texterit...

Страница 28: ...ogo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Empowering the Internet Generation Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step FormShare GigaDrive GigaStack HomeLink Internet Quotient IOS IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard LightStream Linksys MeetingPlace MGX the Networkers logo Networking Academy Network Re...

Результаты поиска

Содержание 1841 - 3G Bundle Router

Отзывы:

Похожие инструкции для 1841 - 3G Bundle Router

Бренды по названию

Популярные бренды

Cisco 1841 - 3G Bundle Router, Руководство пользователя

Результаты поиска

Содержание 1841 - 3G Bundle Router

Отзывы:

Похожие инструкции для 1841 - 3G Bundle Router

Бренды по названию

Популярные бренды