manualshive.com logo in svg

Cisco 2811 Series, Операции, Страница: 18 / 30

Поделиться
Скачать
Cisco 2811 Series Скачать руководство пользователя страница 18

 

18

Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy

OL-8663-01

  Cisco 2811 and Cisco 2821 Routers

Note

All RSA operations are prohibited by policy, and commands that can be executed by Officer are shown 
“# command”.

.

Enable secret

Shared 
Secret

The ciphertext password of the CO role. However, 
the algorithm used to encrypt this password is not 
FIPS approved. Therefore, this password is 
considered plaintext for FIPS purposes. This 
password is zeroized by overwriting it with a new 
password.

NVRAM 
(plaintext)

Overwrite with new 
password

RADIUS secret Shared 

Secret

The RADIUS shared secret. This shared secret is 
zeroized by executing the “no radius-server key” 
command.

NVRAM 
(plaintext), 
DRAM 
(plaintext)

“# no radius-server key”

 
secret

Shared 
Secret

The shared secret. This shared secret is 
zeroized by executing the “no tacacs-server key” 
command.

NVRAM 
(plaintext), 
DRAM 
(plaintext)

“# no tacacs-server key”

Table 10

Role and Service Access to CSP 

Note: An empty entry indicates that a particular SRDI is not accessible by the corresponding service 

SRDI/Role/Service Access Policy

Role/Service

User Role

St

at

us

 F

u

nc

ti

ons

Network Fu

nct

ion

s

T

erminal Functions

Dir

ectory Services

Cryp

to-Off

icer Role

Configur

e the Rou

ter

Define Rules and Filters

St

at

us

 F

u

nc

ti

ons

Manage the Route

r

Set Encryptions/Byp

ass

Change W

AN Interfa

ce Cards

Security Relevant Data Item

PRNG Seed

r

d

r

w

d

DH private exponent

r

r

w

d

DH public key

r

r

w

d

Table 9

Cryptographic Keys and CSPs (Continued)

Содержание 2811 Series

Страница 1: ...nd how to operate the router enabled in a secure FIPS 140 2 mode This policy was prepared aspart of the Level 2 FIPS 140 2 validation of the Cisco 2811 or Cisco 2821 Integrated Services Router FIPS 140 2 Federal Information Processing Standards Publication 140 2 Security Requirements for Cryptographic Modules details the U S Government requirements for cryptographic modules More information about ...

Страница 2: ...to this document the Submission Package contains Vendor Evidence document Finite State Machine Other supporting documentation as additional references This document provides an overview of the routers and explains their secure configuration and operation This introduction section is followed by the Cisco 2811 and Cisco 2821 Routers section on page 2 which details the general features and functiona...

Страница 3: ...hysical Interfaces The Cisco 2811 router features a console port an auxiliary port two Universal Serial Bus USB ports four high speed WAN interface card HWIC slots two10 100 Gigabit Ethernet RJ45 ports an Enhanced Network Module ENM slot and a Compact Flash CF drive The Cisco 2811 router supports one single width network module four single width or two double width HWICs two internal advanced inte...

Страница 4: ...slots 8 ENM slot Table 1 and Table 2 provide more detailed information conveyed by the LEDs on the front and rear panel of the router 1 However an AIM module may not be installed in accordance with this security policy There is a separate security policy covering the Cisco 2811 and Cisco 2821 routers with AIM module installed Table 1 Cisco 2811 Front Panel Indicators Name State Description System ...

Страница 5: ...nitialized error PVDM0 Off Solid Green Solid Orange PVDM0 not installed PVDM0 installed and initialized PVDM0 installed and initialized error AIM1 Off Solid Green Solid Orange AIM1 not installed AIM1 installed and initialized AIM1 installed and initialized error AIM0 Off Solid Green Solid Orange AIM0 not installed AIM0 installed and initialized AIM0 installed and initialized error Table 3 Cisco 28...

Страница 6: ...amper evident seal will be placed over the card in the drive Table 4 Cisco 2811 FIPS 140 2 Logical Interfaces Router Physical Interface FIPS 140 2 Logical Interface 10 100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot Data Input Interface 10 100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot Data Output Interface 10 100 Ethernet LAN Ports HWIC Ports Power S...

Страница 7: ...ns The cryptographic boundary of the module is the device s case All of the functionality discussed in this document is provided by components within this cryptographic boundary The interfaces for the router are located on the front and rear panel as shown in Figure 5and Figure 6 respectively Figure 5 Cisco 2821 Front Panel Physical Interfaces 95903 Do Not Remove During Network Operation COMPACT F...

Страница 8: ...ront panel and Figure 6 shows the rear panel The front panel contains 4 LEDs that output status data about the system power auxiliary power system activity and compact flash busy status The back panel consists of 13 LEDs two Ethernet activity LEDs two duplex LEDs two speed LEDs two link LEDs three PVDM LEDs and two AIM LEDs The front panel contains the following 1 Power inlet 2 Power switch 3 Cons...

Страница 9: ...d Green No interrupts or packet transfer occurring System is servicing interrupts System is actively transferring packets Compact Flash Off Solid Green No ongoing accesses eject permitted Device is busy do not eject Table 6 Cisco 2821 Rear Panel Indicators Name State Description PVDM2 Off Solid Green Solid Orange PVDM2 not installed PVDM2 installed and initialized PVDM2 installed and initialized e...

Страница 10: ...ex Off Solid Green Half Duplex Full Duplex Speed One Blink Green Two Blink Green 10 Mbps 100 Mbps Link Off Solid Green No link established Ethernet link is established Table 8 Cisco 2821 FIPS 140 2 Logical Interfaces Router Physical Interface FIPS 140 2 Logical Interface 10 100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot VeNoM Slot Data Input Interface 10 100 Ethernet LAN Po...

Страница 11: ...ete description of all the management and configuration capabilities of the router can be found in the Performing Basic System Management manual and in the online help for the router User Services Users enter the system by accessing the console port with a terminal program or via IPSec protected telnet or SSH session to a LAN port The IOS prompts the User for username and password If the password ...

Страница 12: ...w complete configurations manage user rights and restore router configurations Set Encryption Bypass Set up the configuration tables for IP tunneling Set keys and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address Physical Security The router is entirely encased by a metal opaque case The rear of the unit contains HWIC WIC VIC connectors LAN conn...

Страница 13: ...l Placement Front View To apply serialized tamper evidence labels to the Cisco 2821 Step 1 Clean the cover of any grease dirt or oil before applying the tamper evidence labels Alcohol based cleaning pads are recommended for this purpose The temperature of the router should be above 10 C Step 2 The tamper evidence label should be placed so that one half of the label covers the front panel and the o...

Страница 14: ...r the material of the module cover Since the tamper evidence seals have non repeated serial numbers they can be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered Tamper evidence seals can also be inspected for signs of tampering which include the following curled corners bubbling crinkling rips tears and slices The word OPEN may ap...

Страница 15: ... entered electronically Internet Key Exchange method with support for pre shared keys exchanged and entered electronically The pre shared keys are used with Diffie Hellman key agreement technique to derive DES 3DES or AES keys The pre shared key is also used to derive HMAC SHA 1 key The module supports commercially available Diffie Hellman for key establishment See the Cisco IOS Reference Guide Al...

Страница 16: ... after this it is reseeded with router derived entropy hence it is zeroized periodically Also the operator can turn off the router to zeroize this CSP DRAM plaintext Automatically every 400 bytes or turn off the router Diffie Hellman private exponent DH The private exponent used in Diffie Hellman DH exchange Zeroized after DH shared secret has been generated DRAM plaintext Automatically after shar...

Страница 17: ...tion key 1 Shared secret This key is used by the router to authenticate itself to the peer The router itself gets the password that is used as this key from the AAA server and sends it onto the peer The password retrieved from the AAA server is zeroized upon completion of the authentication attempt DRAM plaintext Automatically upon completion of authentication attempt PPP authentication key RFC 13...

Страница 18: ...roized by executing the no radius server key command NVRAM plaintext DRAM plaintext no radius server key TACACS secret Shared Secret The TACACS shared secret This shared secret is zeroized by executing the no tacacs server key command NVRAM plaintext DRAM plaintext no tacacs server key Table 10 Role and Service Access to CSP Note An empty entry indicates that a particular SRDI is not accessible by...

Страница 19: ...hared r r w d IKE hash key r r w d secret_1_0_0 r r w d IPSec encryption key r r w d Table 10 Role and Service Access to CSP Continued Note An empty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI Role Service Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto Officer Role Configure the Rou...

Страница 20: ...w d User password r r w d Enable password r w d Enable secret r w d RADIUS secret r w d TACACS secret r w d Table 10 Role and Service Access to CSP Continued Note An empty entry indicates that a particular SRDI is not accessible by the corresponding service SRDI Role Service Access Policy Role Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto Officer...

Страница 21: ... periodically or conditionally include a bypass mode test performed conditionally prior to executing IPSec and a continuous random number generator test If any of the self tests fail the router transitions into an error state In the error state all secure data transmission is halted and the router outputs status information indicating the failure Examples of the errors that cause the system to tra...

Страница 22: ...ive access to the module without the password will not be possible System Initialization and Configuration The Crypto Officer must perform the initial configuration IOS version 12 3 11 T03 Advanced Security build advsecurity is the only allowable image no other image should be loaded The value of the boot field must be 0x0102 This setting disables break from the console to the ROM monitor and auto...

Страница 23: ... Since SNMP v2C uses community strings for authentication only gets are allowed under SNMP v2C SSL is not an Approved protocol and shall not be used in FIPS mode Remote Access Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec ...

Страница 24: ...y of technical product documentation on portable media The DVD enables you to access multiple versions of hardware and software installation configuration and command guides for Cisco products and to view technical documentation in HTML With the DVD you have access to the same documentation that is found on the Cisco website without being connected to the Internet Certain products also have pdf ve...

Страница 25: ...ce with security incidents that involve Cisco products Register to receive security information from Cisco A current list of security advisories and notices for Cisco products is available at this URL http www cisco com go psirt If you prefer to see advisories and notices as they are updated in real time you can access a Product Security Incident Response Team Really Simple Syndication PSIRT RSS f...

Страница 26: ...hnical Support Documentation Website The Cisco Technical Support Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day at this URL http www cisco com techsupport Access to all tools on the Cisco Technical Support Documentation website requires a Cisco com user ID and ...

Страница 27: ... contacts go to this URL http www cisco com techsupport contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format Cisco has established severity definitions Severity 1 S1 Your network is down or there is a critical impact to your business operations You and Cisco will commit all necessary resources around the clock to resolve the situati...

Страница 28: ...heir business and expand services The publication identifies the challenges facing these companies and the technologies to help solve them using real world case studies and business strategies to help readers make sound technology investment decisions You can access iQ Magazine at this URL http www cisco com go iqmagazine or view the digital edition at this URL http ciscoiq texterity com ciscoiq s...

Страница 29: ...isco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Empowering the Internet Generation Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step FormShare GigaDrive GigaStack HomeLink Internet Quotient IOS IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard LightStream Linksys MeetingPlace MGX the Networkers logo Networking Academy Network Registrar Packet ...

Страница 30: ...30 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140 2 Non Proprietary Security Policy OL 8663 01 Obtaining Additional Publications and Information ...

Отзывы:

Нет отзывов