hit counter script
Cisco 1841 User Manual

Cisco 1841 User Manual

Integrated services router with aim-vpn/bpii-plus integrated services router with aim-vpn/epii-plus fips 140-2 non proprietary security policy
Hide thumbs Also See for 1841:

Advertisement

Cisco 1841 Integrated Services Router with
AIM-VPN/BPII-Plus and Cisco 2801
Integrated Services Router with
AIM-VPN/EPII-Plus FIPS 140-2 Non
Proprietary Security Policy
Level 2 Validation
Version 1.3
December 14, 2005
Introduction
This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 1841
Integrated Services Routers with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Routers with
AIM-VPN/EPII-Plus. This security policy describes how the Cisco 1841 and Cisco 2801 Integrated
Services Routers (Hardware Version: 1841 or 2801; AIM-VPN/BPII-Plus Version: 1.0, Board Version:
C1; AIM-VPN/EPII-Plus Version: 1.0, Board Version: D0; Firmware Version: 12.3(11)T03) meet the
security requirements of FIPS 140-2, and how to operate the router in a secure FIPS 140-2 mode. This
policy was prepared as part of the Level 2 FIPS 140-2 validation of the Cisco 1841 and Cisco 2801
Integrated Services Routers.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2—Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at
http://csrc.nist.gov/cryptval/.
This document contains the following sections:
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2005 Cisco Systems, Inc. All rights reserved.
Introduction, page 1
Cisco 1841 and Cisco 2801 Routers, page 3
Secure Operation of the Cisco 1841 or Cisco 2801 router, page 21
Related Documentation, page 22

Advertisement

Table of Contents
loading

Summary of Contents for Cisco 1841

  • Page 1 FIPS 140-2, and how to operate the router in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Cisco 1841 and Cisco 2801 Integrated Services Routers.
  • Page 2: Document Organization

    • for answers to technical or sales-related questions for the module. Terminology In this document, the Cisco 1841 or Cisco 2801 routers are referred to as the router, the module, or the system. Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this...
  • Page 3 SLOT 1 DO NOT REMOVE DURING NETWORK OPERATION The Cisco 1841 router features a console port, an auxiliary port, Universal Serial Bus (USB) port, two high-speed WAN interface card/WAN interface card/Voice interface card (HWIC/WIC/VIC) slots, two 10/100 Fast Ethernet RJ45 ports, and a Compact Flash (CF) drive. The Cisco 1841 router supports AIM-VPN/BPII-Plus card and two fast Ethernet connections.
  • Page 4 Table 3 describes the meaning of Ethernet LEDs on the rear panel: Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus provide more detailed information conveyed by the LEDs on the front and rear panel...
  • Page 5 There are two USB ports but they are not supported currently. The ports will be supported in the future for smartcard or token reader. Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus OL-8719-01...
  • Page 6 Figure 4 Cisco 2801 Front Panel Physical Interfaces Figure 5 Cisco 2801 Rear Panel Physical Interfaces Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus 11 12 Figure 3. All of the functionality Figure...
  • Page 7 The Cisco 2801 router features a console port, an auxiliary port, Universal Serial Bus (USB) port, two high-speed WAN interface card (HWIC) slots, Voice interface card (VIC) slot, WIC/VIC slot, two10/100 Fast Ethernet RJ45 ports, and a Compact Flash (CF) drive. The Cisco 2801 router has two slots for AIM-VPN/EPII-Plus cards connections.
  • Page 8 10/100 Ethernet LAN Ports HWIC/WIC/VIC Ports Console Port Auxiliary Port Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus Solid Green Indicates that the flash is busy and should not be removed. OK to remove flash card.
  • Page 9: Roles And Services

    Tamper evident seal will be placed over the card in the drive. Roles and Services Authentication to the Cisco 1841 and Cisco 2801 is role-based. There are two main roles in the router that operators can assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services.
  • Page 10: Physical Security

    Once the router has been configured in to meet FIPS 140-2 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamper-evidence labels as follows: Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus OL-8719-01...
  • Page 11 The tamper evidence label should be placed so that one half of the label covers the front panel and the Step 2 other half covers the enclosure. Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus OL-8719-01 show the tamper evidence label placements for the Cisco 1841.
  • Page 12: Cryptographic Key Management

    Software (IOS) implementations • – Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus show the tamper evidence label placements for the 2821. Cisco 2801 Tamper Evident Label Placement (Back View) Cisco 2801 Tamper Evident Label Placement (Front View)
  • Page 13 The module supports the commercially available Diffie-Hellman method of key establishment. See Document 7A, Cisco IOS Reference Guide. Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus OL-8719-01 Cisco 1841 and Cisco 2801 Routers...
  • Page 14: Key Zeroization

    Zeroized when IKE session is terminated. skeyid_d Keyed The IKE key derivation key for non ISAKMP SHA-1 security associations. Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus Zeroization Storage Method DRAM Automatically every 400 (plaintext) bytes, or turn off the router.
  • Page 15 DRAM and not zeroized at runtime. One can turn off the router to zeroize this key because it is stored in DRAM. Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus OL-8719-01 Cisco 1841 and Cisco 2801 Routers...
  • Page 16 All RSA operations are prohibited by policy, and commands that can be executed by Officer are shown Note “# command”. Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus NVRAM “# no username password”...
  • Page 17 IKE session encrypt key IKE session authentication key ISAKMP preshared Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus OL-8719-01 Role and Service Access to CSP Cisco 1841 and Cisco 2801 Routers...
  • Page 18 Router authentication key PPP Authentication key Router authentication key 2 SSH session key User password Enable password Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus Role and Service Access to CSP (Continued) OL-8719-01...
  • Page 19 Known answer test failed • NVRAM module malfunction. • Temperature high warning • Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus OL-8719-01 Role and Service Access to CSP (Continued) Cisco 1841 and Cisco 2801 Routers...
  • Page 20 DES Known Answer Test – 3DES Known Answer Test – SHA-1 Known Answer Test – HMAC-SHA-1 Known Answer Test – Firmware integrity test – Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus OL-8719-01...
  • Page 21: Initial Setup

    Secure Operation of the Cisco 1841 or Cisco 2801 router The Cisco 1841 and Cisco 2801 routers meet all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS-approved mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation.
  • Page 22: Ipsec Requirements And Cryptographic Algorithms

    Note that all users must still authenticate after remote access is granted. Related Documentation For more information about the Cisco 1841 and Cisco 2801 Integrated Services Routers, refer to the following documents: Cisco 1800 Series Integrated Services Routers Quick Start Guides •...
  • Page 23: Obtaining Documentation

    Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available.
  • Page 24: Documentation Feedback

    Register to receive security information from Cisco. • A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html...
  • Page 25: Obtaining Technical Assistance

    Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &...
  • Page 26: Submitting A Service Request

    Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
  • Page 27 Cisco experts and other networking professionals. Join a discussion at this URL: http://www.cisco.com/discuss/networking World-class networking training is available from Cisco. You can view current offerings at • this URL: http://www.cisco.com/en/US/learning/index.html Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus OL-8719-01 Obtaining Additional Publications and Information...
  • Page 28 Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the...

This manual is also suitable for:

2801

Table of Contents

Save PDF