Cisco 7606 Скачать руководство пользователя страница 21 | Manualshive

Страница: 21 / 28

background image

21

Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note

OL-6334-01

Cryptographic Key Management

The tamper evidence seals are made from a special thin-gauge vinyl with self-adhesive backing. Any
attempt to open the chassis, remove the modules or power supplies, or remove the opacity shield will
damage the tamper evidence seals or the painted surface and metal of the chassis. Because the tamper
evidence seals have nonrepeated serial numbers, they may be inspected for damage and compared
against the applied serial numbers to verify that the module has not been tampered with. Tamper
evidence seals can also be inspected for signs of tampering, which include the following: curled corners,
bubbling, crinkling, rips, tears, and slices. The word “OPEN” may appear if the label was peeled back.

Cryptographic Key Management

The switch or the router securely administers both cryptographic keys and other critical security
parameters such as passwords. The tamper evidence seals provide physical protection for all keys. Keys
are also password protected and can be zeroized by the crypto officer. Keys are exchanged manually and
entered electronically using manual key exchange or Internet Key Exchange (IKE).

Chassis containing the VPN Services Module and a cryptographic accelerator card support DES (56-bit)
(only for legacy systems) and 3DES (168-bit) IPsec encryption, MD5 and SHA-1 hashing, and hardware
support for RSA signature generation.

The module supports the critical security parameters (CSPs) as described in

Table 3

.

Table 3

Critical Security Parameters

CSP
Number

Key or CSP Name

Description

Storage

1

.key

This is the seed key for X9.31 PRNG. This key is stored
in DRAM and updated periodically after 400 bytes are
generated; hence, it is zeroized periodically. The operator
also can turn off the router to zeroize this key.

DRAM
(plaintext)

2

secret_number

The private exponent used in Diffie-Hellman (DH)
exchange. It is zeroized after a DH shared secret has been
generated.

DRAM
(plaintext)

3

skeyid

The shared secret within IKE exchange. It is zeroized
when an IKE session is terminated.

DRAM
(plaintext)

4

skeyid_d

The shared secret within IKE exchange. It is zeroized
when an IKE session is terminated.

DRAM
(plaintext)

5

skeyid_a

The shared secret within IKE exchange. It is zeroized
when an IKE session is terminated.

DRAM
(plaintext)

6

skeyid_e

The shared secret within IKE exchange. It is zeroized
when an IKE session is terminated.

DRAM
(plaintext)

7

transform_key1

The IKE session encrypt key. It is zeroized when an IKE
session is terminated.

DRAM
(plaintext)

8

transform_key2

The IKE session authentication key. It is zeroized when
an IKE session is terminated.

DRAM
(plaintext)

9

crypto_private_key

The RSA private key. The

crypto key zeroize

command

zeroizes this key.

NVRAM
(plaintext)

«
...
19
20
21
22
23
...
»

Содержание 7606

Страница 1: ...e Hardware Version 3 2 VPN Services Module Hardware Version 1 2 Firmware Version 12 2 14 SY3 This security policy describes how the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers with the VPN Services Module meet the security requirements of FIPS 140 2 and describes how to operate the hardware devices in a secure FIPS 140 2 mode This policy was prepared as part of the Level 2 FIPS ...

Страница 2: ...6509 switch and the Cisco 7606 and Cisco 7609 routers in the technical terms of a FIPS 140 2 Cryptographic Module Security Policy More information is available on the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers and the entire Catalyst 6500 series switches and Cisco 7600 series routers from the following sources The Catalyst 6500 series switch product descriptions can be found at...

Страница 3: ...alyst 6509 Switch and Cisco 7606 and Cisco 7609 Routers section which details the general features and functionality of the Catalyst 6509 switch and Cisco 7606 and Cisco 7609 routers The Secure Operation of the Catalyst 6509 Switch and the Cisco 7606 and Cisco 7609 Routers section specifically addresses the required configuration for the FIPS approved mode of operation With the exception of this N...

Страница 4: ... 8 PORT GIGABIT ETHERNET WS X6408 1 LI N K ST AT U S 2 3 4 5 6 7 8 LI N K LI N K LI N K LI N K LI N K LI N K LI N K 8 PORT GIGABIT ETHERNET WS X6408 1 LI N K ST AT U S 2 3 4 5 6 7 8 LI N K LI N K LI N K LI N K LI N K LI N K LI N K 8 PORT GIGABIT ETHERNET WS X6408 1 LI N K ST AT U S 2 3 4 5 6 7 8 LI N K LI N K LI N K LI N K LI N K LI N K LI N K 24 PORT 100FX WS X6224 ST AT US 24 PORT 100FX WS X6224...

Страница 5: ... E TX RX TX PO RT 1 RX ACTIV E TX RX TX PO RT 2 RX ACTIV E TX RX TX PO RT 3 RX ACTIV E TX RX TX PO RT4 RX OSM 4OC12 POS SI 4 PORT OC 12 POS SM IR STATUS 1 1 2 2 3 3 4 4 RESET LIN K LIN K LIN K LIN K CARRIE R ALARM CARRIE R ALARM CARRIE R ALARM CARRIE R ALARM ACTIV E TX RX TX PO RT 1 RX ACTIV E TX RX TX PO RT 2 RX ACTIV E TX RX TX PO RT 3 RX ACTIV E TX RX TX PO RT4 RX OSM 4OC12 POS SI 4 PORT OC 12 ...

Страница 6: ...T PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K SUPERVISOR2 WS X6K SUP2 2GE ST AT US SY ST EM CO NS OL E PW R MG MT RE SE T CONSOLE CONSOLE PORT MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K SWITCH FABRIC MDL ST AT US SE LE CT NE XT WS C6500 SFM AC TIV E SWITCH FABRIC MDL ST AT US SE LE CT NE XT WS C6500 SFM AC TIV E OC12 POS MM OSM 40C12 POS MM ST AT US 1 2 3 4 RE SE T LI NK 1 LI NK...

Страница 7: ...virtual private networks or outsourced dial solutions The RISC based processor provides the power needed for the dynamic requirements of the remote branch office Module Interfaces The switch and router chassis physical interfaces are located on the supervisor engine front panel See Figure 4 Figure 4 Supervisor Engine Physical Interfaces The Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 ro...

Страница 8: ...ge The power supply has failed or the power supply fan has failed Incompatible power supplies are installed The redundant clock has failed One VTT2 module has failed or the VTT module temperature minor threshold has been exceeded Red Two VTT modules fail or the VTT module temperature major threshold has been exceeded The temperature of the supervisor engine major threshold has been exceeded 3 ACTI...

Страница 9: ...tes signals on the Catalyst switching bus 3 If no redundant supervisor engine is installed and there is a VTT module minor or major over temperature condition the system shuts down 4 Enter the show crypto eli command to determine whether the FIPS related self tests passed All of these physical interfaces are separated into the logical interfaces from FIPS 140 2 as described in Table 2 Table 2 FIPS...

Страница 10: ... role The module supports RADIUS and TACACS for authentication and they are used in the FIPS mode A complete description of all the management and configuration capabilities of the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers can be found in the Performing Basic System Management manual and in the online help for the switch or the router The user and crypto officer passwords and ...

Страница 11: ... Get commands to view SNMP MIB II statistics health temperature memory status voltage and packet statistics reviews accounting logs and views physical interface status Managing the switch or the router Logs off users shuts down or reloads the switch or router manually backs up switch or router configurations views complete configurations manages user rights and restores switch or router configurat...

Страница 12: ...the bag with the part number 800 26335 xx This is the opacity shield kit for the Catalyst 6509 switch chassis Set the other opacity shield kit aside Step 4 Open the protective packaging and remove the opacity shield and the two bags of installation hardware The opacity shield is identified by the label 6509 E that is silk screened adjacent to some of the holes on the shield Retain the fastener bag...

Страница 13: ...ap rivet fastener and use a new one from the extras supplied in the bag of fasteners Step 12 Repeat step 10 and step 11 for the remaining three snap rivet fasteners Refer to Figure 5 for snap rivet fastener placement Caution Due to decreased airflow when using the opacity shield which is required for FIPS 140 2 validation short term operation as specified by GR 63 CORE at 55º C is impacted Short t...

Страница 14: ...UT OK FAN OK OUTPUT FAIL o FAN STATUS INPUT OK FAN OK OUTPUT FAIL o 1 2 3 4 5 6 7 8 9 IPSec VPN Acceleration Services Module WS SVC IPSEC 1 ST AT US SUPERVISOR2 WS X6K SUP2 2GE ST AT US SY ST EM CO NS OL E PW R MG MT RE SE T CONSOLE CONSOLE PORT MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K Shield screw Opacity shield material removed for clarity Chassis shown removed from rack for...

Страница 15: ...ing A bag containing the installation hardware In some kits there is no bag the installation hardware is premounted in the opacity shield An envelope with 30 FIPS tamper evidence labels and a disposable ESD wrist strap Step 3 Remove the opacity shield from its protective packaging a If the thumbscrews and the snap rivet fasteners are already installed on the opacity shield remove the four snap riv...

Страница 16: ... snap rivet fastener and use a new one from the extras supplied in the bag of fasteners Step 10 Repeat step 8 and step 9 for the remaining three snap rivet fasteners Refer to Figure 6 for snap rivet fastener placement Caution Due to decreased airflow when using the opacity shield which is required for FIPS 140 2 validation short term operation as specified by GR 63 CORE at 55º C is impacted Short ...

Страница 17: ... Opacity Shield on the Cisco 7606 Router SUPERVISOR2 WS X6K SUP2 2GE ST AT US SY ST EM CO NSO LE PW R M G M T RES ET CONSOLE CONSOLE PORT MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LI NK LI NK 4 5 6 IPSec VPN Acceleration Services Module WS SVC IPSEC 1 STATUS 130882 Shield screw Opacity shield material removed for clarity Snap rivet sleeve Snap rivet pin Chassis shown removed from rack for ...

Страница 18: ...0 F Step 2 Place labels on the chassis as shown in either Figure 7 Catalyst 6509 switch Figure 8 Cisco 7606 router or Figure 9 Cisco 7609 router a Fan tray The tamper evidence label should be placed so that one half of the label adheres to the front of the fan tray and the other half adheres to the left side of the chassis Any attempt to remove the fan tray will damage the tamper seal which indica...

Страница 19: ...es to the Supervisor Engine 2 faceplate Any attempt to install or remove a Flash PC card will damage the tamper seal which indicates tampering has occurred b Place a tamper evidence label so that one half of the label adheres to the GBIC transceiver installed in the supervisor engine 2 network interface uplink port and the other half adheres to the Supervisor Engine 2 faceplate Any attempt to remo...

Страница 20: ...T MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K 130879 4 5 6 IPSec VPN Acceleration Services Module WS SVC IPSEC 1 ST AT US IN PU T O K FA N O K O UT PU T FA IL Cisco Systems Inc IN PU T O K FA N O K O UT PU T FA IL Cisco Systems Inc 130880 INPUT OK FAN OK OUTPUT FAIL o INPUT OK FAN OK OUTPUT FAIL o POWER SUPPLY 1 POWER SUPPLY 2 IPSec VPN Acceleration Services Module WS SVC IPSEC 1...

Страница 21: ...phic accelerator card support DES 56 bit only for legacy systems and 3DES 168 bit IPsec encryption MD5 and SHA 1 hashing and hardware support for RSA signature generation The module supports the critical security parameters CSPs as described in Table 3 Table 3 Critical Security Parameters CSP Number Key or CSP Name Description Storage 1 key This is the seed key for X9 31 PRNG This key is stored in...

Страница 22: ...ransform_key4 The IPsec authentication key It is zeroized when IPsec session is terminated DRAM plaintext 16 signature The RSA public key of the CA The no crypto ca trust label command invalidates the key and it frees the public key label that prevents use of the key This key does not need to be zeroized because it is a public key NVRAM plaintext 17 dnssec_zone_key This key is a public key of the ...

Страница 23: ...atabase on the switch or router Issuing the command no username password zeroizes the password that is used as this key from the local database NVRAM plaintext 26 ssh encryption key This is the SSH session key It is zeroized when the SSH session is terminated DRAM plaintext 27 User Password The password of the user role This password is zeroized by overwriting it with a new password NVRAM plaintex...

Страница 24: ...or IKE authentication Table 4 Role and Service Access to Critical Security Parameters CSPs SRDI Role Service Access Policy Security Relevant Data Item Critical Security Parameters Role Service User Role Status Functions Network Functions CSP 1 20 R CSP 22 27 R Terminal Functions Directory Functions Crypto Officer Role Configure the Router CSP 13 R W D CSP 19 R W D CSP 21 R W D CSP 25 R W D Define ...

Страница 25: ...he pre shared keys The crypto officer needs to be authenticated to store keys All Diffie Hellman DH keys agreed upon for individual tunnels are directly associated with that specific tunnel only through the IKE protocol Key Zeroization All of the keys and CSPs of the module can be zeroized Refer to the description column of Table 3 for information on methods to zeroize each key and CSP Self Tests ...

Страница 26: ...ections to place the module in a FIPS approved mode of operation Operating this router or switch without maintaining the following settings will remove the module from the FIPS approved mode of operation Initial Setup Before configuring the router or switch note these requirements The crypto officer must ensure that the VPN Services Module cryptographic accelerator card is installed in the chassis...

Страница 27: ...aracters to users Identification and authentication on the console port is required for users From the configure terminal command line the crypto officer enters the following syntax line con 0 password PASSWORD login local The crypto officer shall only assign users to a privilege level 1 the default The crypto officer shall not assign a command to any privilege level other than its default The cry...

Страница 28: ...eader application The RSS feeds are a free service and Cisco currently supports RSS Version 2 0 CCSP CCVP the Cisco Square Bridge logo Follow Me Browsing and StackWise are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn and iQuick Study are service marks of Cisco Systems Inc and Access Registrar Aironet ASIST BPX Catalyst CCDA CCDP CCIE CCIP CCNA CCNP Cisco the Cisco C...

Отзывы:

Нет отзывов

Похожие инструкции для 7606

Бренд: Watchguard Страницы: 40

Wireless Router

Бренд: Watchguard Страницы: 11

Бренд: D-Link Страницы: 32

Бренд: D-Link Страницы: 28

Бренд: D-Link Страницы: 48

Бренд: D-Link Страницы: 83

Бренд: D-Link Страницы: 155

Elinx EIRP305-T

Бренд: B&B Electronics Страницы: 19

LS42 - BladeCenter - 7902

Бренд: IBM Страницы: 56

Бренд: IBM Страницы: 2

BladeCenter Management Module

Бренд: IBM Страницы: 78

Бренд: IBM Страницы: 110

Remote Supervisor Adapter II

Бренд: IBM Страницы: 132

Бренд: Alcad Страницы: 6

Бренд: Quectel Страницы: 23

Бренд: Bridgeworks Страницы: 18

Бренд: Macsense Страницы: 39

Momentum ROG Strix X570-E D-RGB

Бренд: EK-Quantum Страницы: 10

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды