Cisco 7606 Скачать руководство пользователя страница 22 | Manualshive

Страница: 22 / 28

background image

22

Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note

OL-6334-01

Cryptographic Key Management

10

pre_shared_key

The key used to generate IKE key id during
preshared-key authentication. The

no crypto isakmp key

command zeroizes it. This key can have two forms based
on whether the key is related to the hostname or the IP
address.

NVRAM
(plaintext)

11

hmac_data

This key generates keys 3, 4, 5 and 6. This key is zeroized
after generating those keys.

DRAM
(plaintext)

12

sig_key

The RSA public key used to validate signatures within
IKE. These keys are expired either when the certificate
revocation list (CRL) expires or after 5 seconds if no CRL
exists. This key is deleted after the expiration happens
and before a new public key structure is created. This key
does not need to be zeroized because it is a public key.

DRAM
(plaintext)

13

secret_1_0_0

The fixed key used in Cisco vendor-ID generation. This
key is embedded in the module binary image and can be
deleted by erasing the flash memory.

NVRAM
(plaintext)

14

transform_key3

The IPsec encryption key. It is zeroized when IPsec
session is terminated.

DRAM
(plaintext)

15

transform_key4

The IPsec authentication key. It is zeroized when IPsec
session is terminated.

DRAM
(plaintext)

16

signature

The RSA public key of the CA. The

no crypto ca trust

label

command invalidates the key and it frees the public

key label that prevents use of the key. This key does not
need to be zeroized because it is a public key.

NVRAM
(plaintext)

17

dnssec_zone_key

This key is a public key of the DNS server. It is zeroized
using the

no crypto ca trust

label

command which

invalidates the DNS server's public key and frees the
public key label, preventing the use of that key. This label
is different from the label in the above key. This key does
not need to be zeroized because it is a public key.

NVRAM
(plaintext)

18

SLL session key

The SSL session key. It is zeroized when the SSL
connection is terminated.

DRAM
(plaintext)

19

ARAP key

The ARAP key that is hardcoded in the module binary
image. This key can be deleted by erasing the flash
memory.

Flash
(plaintext)

20

ARAP password

This is an ARAP user password used as an authentication
key. A function uses this key in a DES algorithm for
authentication.

DRAM
(plaintext)

21

config key

The key used to encrypt values of the configuration file.
This key is zeroized when the command

no key

config-key

is issued.

NVRAM
(plaintext)

Table 3

Critical Security Parameters (continued)

CSP
Number

Key or CSP Name

Description

Storage

«
...
20
21
22
23
24
...
»

Содержание 7606

Страница 1: ...e Hardware Version 3 2 VPN Services Module Hardware Version 1 2 Firmware Version 12 2 14 SY3 This security policy describes how the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers with the VPN Services Module meet the security requirements of FIPS 140 2 and describes how to operate the hardware devices in a secure FIPS 140 2 mode This policy was prepared as part of the Level 2 FIPS ...

Страница 2: ...6509 switch and the Cisco 7606 and Cisco 7609 routers in the technical terms of a FIPS 140 2 Cryptographic Module Security Policy More information is available on the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers and the entire Catalyst 6500 series switches and Cisco 7600 series routers from the following sources The Catalyst 6500 series switch product descriptions can be found at...

Страница 3: ...alyst 6509 Switch and Cisco 7606 and Cisco 7609 Routers section which details the general features and functionality of the Catalyst 6509 switch and Cisco 7606 and Cisco 7609 routers The Secure Operation of the Catalyst 6509 Switch and the Cisco 7606 and Cisco 7609 Routers section specifically addresses the required configuration for the FIPS approved mode of operation With the exception of this N...

Страница 4: ... 8 PORT GIGABIT ETHERNET WS X6408 1 LI N K ST AT U S 2 3 4 5 6 7 8 LI N K LI N K LI N K LI N K LI N K LI N K LI N K 8 PORT GIGABIT ETHERNET WS X6408 1 LI N K ST AT U S 2 3 4 5 6 7 8 LI N K LI N K LI N K LI N K LI N K LI N K LI N K 8 PORT GIGABIT ETHERNET WS X6408 1 LI N K ST AT U S 2 3 4 5 6 7 8 LI N K LI N K LI N K LI N K LI N K LI N K LI N K 24 PORT 100FX WS X6224 ST AT US 24 PORT 100FX WS X6224...

Страница 5: ... E TX RX TX PO RT 1 RX ACTIV E TX RX TX PO RT 2 RX ACTIV E TX RX TX PO RT 3 RX ACTIV E TX RX TX PO RT4 RX OSM 4OC12 POS SI 4 PORT OC 12 POS SM IR STATUS 1 1 2 2 3 3 4 4 RESET LIN K LIN K LIN K LIN K CARRIE R ALARM CARRIE R ALARM CARRIE R ALARM CARRIE R ALARM ACTIV E TX RX TX PO RT 1 RX ACTIV E TX RX TX PO RT 2 RX ACTIV E TX RX TX PO RT 3 RX ACTIV E TX RX TX PO RT4 RX OSM 4OC12 POS SI 4 PORT OC 12 ...

Страница 6: ...T PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K SUPERVISOR2 WS X6K SUP2 2GE ST AT US SY ST EM CO NS OL E PW R MG MT RE SE T CONSOLE CONSOLE PORT MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K SWITCH FABRIC MDL ST AT US SE LE CT NE XT WS C6500 SFM AC TIV E SWITCH FABRIC MDL ST AT US SE LE CT NE XT WS C6500 SFM AC TIV E OC12 POS MM OSM 40C12 POS MM ST AT US 1 2 3 4 RE SE T LI NK 1 LI NK...

Страница 7: ...virtual private networks or outsourced dial solutions The RISC based processor provides the power needed for the dynamic requirements of the remote branch office Module Interfaces The switch and router chassis physical interfaces are located on the supervisor engine front panel See Figure 4 Figure 4 Supervisor Engine Physical Interfaces The Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 ro...

Страница 8: ...ge The power supply has failed or the power supply fan has failed Incompatible power supplies are installed The redundant clock has failed One VTT2 module has failed or the VTT module temperature minor threshold has been exceeded Red Two VTT modules fail or the VTT module temperature major threshold has been exceeded The temperature of the supervisor engine major threshold has been exceeded 3 ACTI...

Страница 9: ...tes signals on the Catalyst switching bus 3 If no redundant supervisor engine is installed and there is a VTT module minor or major over temperature condition the system shuts down 4 Enter the show crypto eli command to determine whether the FIPS related self tests passed All of these physical interfaces are separated into the logical interfaces from FIPS 140 2 as described in Table 2 Table 2 FIPS...

Страница 10: ... role The module supports RADIUS and TACACS for authentication and they are used in the FIPS mode A complete description of all the management and configuration capabilities of the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers can be found in the Performing Basic System Management manual and in the online help for the switch or the router The user and crypto officer passwords and ...

Страница 11: ... Get commands to view SNMP MIB II statistics health temperature memory status voltage and packet statistics reviews accounting logs and views physical interface status Managing the switch or the router Logs off users shuts down or reloads the switch or router manually backs up switch or router configurations views complete configurations manages user rights and restores switch or router configurat...

Страница 12: ...the bag with the part number 800 26335 xx This is the opacity shield kit for the Catalyst 6509 switch chassis Set the other opacity shield kit aside Step 4 Open the protective packaging and remove the opacity shield and the two bags of installation hardware The opacity shield is identified by the label 6509 E that is silk screened adjacent to some of the holes on the shield Retain the fastener bag...

Страница 13: ...ap rivet fastener and use a new one from the extras supplied in the bag of fasteners Step 12 Repeat step 10 and step 11 for the remaining three snap rivet fasteners Refer to Figure 5 for snap rivet fastener placement Caution Due to decreased airflow when using the opacity shield which is required for FIPS 140 2 validation short term operation as specified by GR 63 CORE at 55º C is impacted Short t...

Страница 14: ...UT OK FAN OK OUTPUT FAIL o FAN STATUS INPUT OK FAN OK OUTPUT FAIL o 1 2 3 4 5 6 7 8 9 IPSec VPN Acceleration Services Module WS SVC IPSEC 1 ST AT US SUPERVISOR2 WS X6K SUP2 2GE ST AT US SY ST EM CO NS OL E PW R MG MT RE SE T CONSOLE CONSOLE PORT MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K Shield screw Opacity shield material removed for clarity Chassis shown removed from rack for...

Страница 15: ...ing A bag containing the installation hardware In some kits there is no bag the installation hardware is premounted in the opacity shield An envelope with 30 FIPS tamper evidence labels and a disposable ESD wrist strap Step 3 Remove the opacity shield from its protective packaging a If the thumbscrews and the snap rivet fasteners are already installed on the opacity shield remove the four snap riv...

Страница 16: ... snap rivet fastener and use a new one from the extras supplied in the bag of fasteners Step 10 Repeat step 8 and step 9 for the remaining three snap rivet fasteners Refer to Figure 6 for snap rivet fastener placement Caution Due to decreased airflow when using the opacity shield which is required for FIPS 140 2 validation short term operation as specified by GR 63 CORE at 55º C is impacted Short ...

Страница 17: ... Opacity Shield on the Cisco 7606 Router SUPERVISOR2 WS X6K SUP2 2GE ST AT US SY ST EM CO NSO LE PW R M G M T RES ET CONSOLE CONSOLE PORT MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LI NK LI NK 4 5 6 IPSec VPN Acceleration Services Module WS SVC IPSEC 1 STATUS 130882 Shield screw Opacity shield material removed for clarity Snap rivet sleeve Snap rivet pin Chassis shown removed from rack for ...

Страница 18: ...0 F Step 2 Place labels on the chassis as shown in either Figure 7 Catalyst 6509 switch Figure 8 Cisco 7606 router or Figure 9 Cisco 7609 router a Fan tray The tamper evidence label should be placed so that one half of the label adheres to the front of the fan tray and the other half adheres to the left side of the chassis Any attempt to remove the fan tray will damage the tamper seal which indica...

Страница 19: ...es to the Supervisor Engine 2 faceplate Any attempt to install or remove a Flash PC card will damage the tamper seal which indicates tampering has occurred b Place a tamper evidence label so that one half of the label adheres to the GBIC transceiver installed in the supervisor engine 2 network interface uplink port and the other half adheres to the Supervisor Engine 2 faceplate Any attempt to remo...

Страница 20: ...T MODE PCMCIA EJECT PORT 1 PORT 2 Switch Load 100 1 LIN K LIN K 130879 4 5 6 IPSec VPN Acceleration Services Module WS SVC IPSEC 1 ST AT US IN PU T O K FA N O K O UT PU T FA IL Cisco Systems Inc IN PU T O K FA N O K O UT PU T FA IL Cisco Systems Inc 130880 INPUT OK FAN OK OUTPUT FAIL o INPUT OK FAN OK OUTPUT FAIL o POWER SUPPLY 1 POWER SUPPLY 2 IPSec VPN Acceleration Services Module WS SVC IPSEC 1...

Страница 21: ...phic accelerator card support DES 56 bit only for legacy systems and 3DES 168 bit IPsec encryption MD5 and SHA 1 hashing and hardware support for RSA signature generation The module supports the critical security parameters CSPs as described in Table 3 Table 3 Critical Security Parameters CSP Number Key or CSP Name Description Storage 1 key This is the seed key for X9 31 PRNG This key is stored in...

Страница 22: ...ransform_key4 The IPsec authentication key It is zeroized when IPsec session is terminated DRAM plaintext 16 signature The RSA public key of the CA The no crypto ca trust label command invalidates the key and it frees the public key label that prevents use of the key This key does not need to be zeroized because it is a public key NVRAM plaintext 17 dnssec_zone_key This key is a public key of the ...

Страница 23: ...atabase on the switch or router Issuing the command no username password zeroizes the password that is used as this key from the local database NVRAM plaintext 26 ssh encryption key This is the SSH session key It is zeroized when the SSH session is terminated DRAM plaintext 27 User Password The password of the user role This password is zeroized by overwriting it with a new password NVRAM plaintex...

Страница 24: ...or IKE authentication Table 4 Role and Service Access to Critical Security Parameters CSPs SRDI Role Service Access Policy Security Relevant Data Item Critical Security Parameters Role Service User Role Status Functions Network Functions CSP 1 20 R CSP 22 27 R Terminal Functions Directory Functions Crypto Officer Role Configure the Router CSP 13 R W D CSP 19 R W D CSP 21 R W D CSP 25 R W D Define ...

Страница 25: ...he pre shared keys The crypto officer needs to be authenticated to store keys All Diffie Hellman DH keys agreed upon for individual tunnels are directly associated with that specific tunnel only through the IKE protocol Key Zeroization All of the keys and CSPs of the module can be zeroized Refer to the description column of Table 3 for information on methods to zeroize each key and CSP Self Tests ...

Страница 26: ...ections to place the module in a FIPS approved mode of operation Operating this router or switch without maintaining the following settings will remove the module from the FIPS approved mode of operation Initial Setup Before configuring the router or switch note these requirements The crypto officer must ensure that the VPN Services Module cryptographic accelerator card is installed in the chassis...

Страница 27: ...aracters to users Identification and authentication on the console port is required for users From the configure terminal command line the crypto officer enters the following syntax line con 0 password PASSWORD login local The crypto officer shall only assign users to a privilege level 1 the default The crypto officer shall not assign a command to any privilege level other than its default The cry...

Страница 28: ...eader application The RSS feeds are a free service and Cisco currently supports RSS Version 2 0 CCSP CCVP the Cisco Square Bridge logo Follow Me Browsing and StackWise are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn and iQuick Study are service marks of Cisco Systems Inc and Access Registrar Aironet ASIST BPX Catalyst CCDA CCDP CCIE CCIP CCNA CCNP Cisco the Cisco C...

Отзывы:

Нет отзывов

Похожие инструкции для 7606

Бренд: IEI Technology Страницы: 187

Бренд: IEI Technology Страницы: 71

Бренд: QNAP Страницы: 20

Бренд: Q-See Страницы: 2

Бренд: 3Com Страницы: 18

Бренд: Supermicro Страницы: 24

Бренд: Black Box Страницы: 37

Sentry Global Security Modem

Бренд: Server Technology Страницы: 22

Бренд: NEC Страницы: 2

PARTNER PC CARD

Бренд: Avaya Страницы: 4

Бренд: UHP Страницы: 15

Бренд: Ubiquiti Страницы: 21

JetStor NAS 724UX

Бренд: AC&NC Страницы: 117

PowerBeam PBE-5AC-400-ISO

Бренд: Ubiquiti Страницы: 23

MMAC-Plus 9G536-04

Бренд: Cabletron Systems Страницы: 42

Бренд: ICOP Technology Страницы: 42

SecPath F50X0 Series

Бренд: H3C Страницы: 41

Бренд: MEN Страницы: 48

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды