Cisco 2621XM Operations
Modular access routers with aim-vpn/ep fips 140-2 non-proprietary security policy
Hide thumbs
Also See for 2621XM:
- User manual (20 pages) ,
- Configuration manual (196 pages) ,
- Hardware installation manual (104 pages)
Table of Contents
Advertisement
Cisco 2621XM and Cisco 2651XM Modular
Access Routers with AIM-VPN/EP FIPS 140-2
Non-Proprietary Security Policy
Level 2 Validation
Version 1.3
June 2, 2004
Introduction
This is the non-proprietary Cryptographic Module Security Policy for the 2621XM and 2651XM
Modular Access Routers with AIM-VPN/EP. This security policy describes how the 2621XM and
2651XM routers (Hardware Version: 2621XM, 2651XM; AIM-VPN/EP: Hardware Version 1.0, Board
Version B0; Firmware Version: IOS 12.3(3d)) meet the security requirements of FIPS 140-2, and how to
operate the 2621XM and 2651XM routers in a secure FIPS 140-2 mode. This policy was prepared as
part of the Level 2 FIPS 140-2 validation of the 2621XM and 2651XM routers.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2—Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at
http://csrc.nist.gov/cryptval/.
This document contains the following sections:
Introduction, page 1
•
The 2621XM/2651XM Router, page 2
•
•
Secure Operation of the Cisco 2621XM/2651XM Router, page 17
Related Documentation, page 19
•
•
Obtaining Documentation, page 19
•
Documentation Feedback, page 20
Obtaining Technical Assistance, page 20
•
•
Obtaining Additional Publications and Information, page 22
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2001. Cisco Systems, Inc. All rights reserved.
Advertisement
Table of Contents
Related Manuals for Cisco 2621XM
Summary of Contents for Cisco 2621XM
- Page 1 Version B0; Firmware Version: IOS 12.3(3d)) meet the security requirements of FIPS 140-2, and how to operate the 2621XM and 2651XM routers in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the 2621XM and 2651XM routers.
-
Page 2: Document Organization
This document deals only with operations and capabilities of the Cisco 2621XM and Cisco 2651XM routers in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the following sources: The Cisco Systems website contains information on the full line of products at www.cisco.com. -
Page 3: Module Interfaces
Cisco IOS features such as tunneling, data encryption, and termination of Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 2600 an ideal platform for building virtual private networks or outsourced dial solutions. Cisco 2600`s RISC-based... - Page 4 Network module The Cisco 2621XM and 2651XM routers feature a console port, an auxiliary port, dual fixed LAN interfaces, a Network Module slot, and two WIC slots. LAN support includes single and dual Ethernet options; 10/100 Mbps auto-sensing Ethernet; mixed Token-Ring and Ethernet;...
- Page 5 Front Panel LEDs POWER Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router: Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 100 Mbps Link...
- Page 6 Network Module Interface Power Switch Console Port Auxiliary Port Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy Description Power is supplied to the router and the router is operational The router is not powered on...
-
Page 7: Roles And Services
FIPS mode. A complete description of all the management and configuration capabilities of the Cisco 2621XM and 2651XM Routers can be found in the Performing Basic System Management manual and in the online help for the router. -
Page 8: User Services
The top portion of the chassis may be removed (see motherboard, memory, and expansion slots. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy section of this document. section of this document. - Page 9 FIPS compliant mode. The slot covers are included with each router, and additional covers may be ordered from Cisco. The same procedure mentioned below to apply tamper evidence labels for NMs and WICs must also be followed to apply tamper evidence labels for the slot covers.
-
Page 10: Cryptographic Key Management
The module supports the following critical security parameters (CSPs): Table 4 Critical Security Parameters Name CSP 1 CSP 2 CSP 3 Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy Cisco 2611 100-240V– 1A 50/60 Hz 47 W LINK ETHERNET 1 LINK... - Page 11 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 Same as above Same as above Same as above The IKE session encrypt key. The zeroization is the same as above.
- Page 12 CSP 29 CSP 30 CSP 31 Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy The SSL session key. Zeroized when the SSL connection is terminated. The ARAP key that is hardcoded in the module binary image.
- Page 13 CSP 1 CSP 2 CSP 3 CSP 4 CSP 5 CSP 6 CSP 7 CSP 8 CSP 9 CSP 10 CSP 11 Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 The 2621XM/2651XM Router...
- Page 14 CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01...
- Page 15 HMAC SHA-1, MD5, MD4, HMAC MD5, Diffie-Hellman, RSA (for digital signatures and encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 The 2621XM/2651XM Router...
-
Page 16: Key Zeroization
– TDES KAT – – AES KAT – SHA-1 KAT – PRNG KAT – Power-up bypass test – Diffie-Hellman self-test – HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01... -
Page 17: Initial Setup
Continuous random number generator test Secure Operation of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS mode. -
Page 18: System Initialization And Configuration
Although the Cisco IOS implementation of IKE allows a number of algorithms, only the following • algorithms are allowed in a FIPS 140-2 configuration: ah-sha-hmac – esp-des – Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01... -
Page 19: Remote Access
The Crypto officer must configure the module so that SSH uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to the following documents: Cisco 2600 Series Modular Routers Quick Start Guide •... -
Page 20: Ordering Documentation
Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller. -
Page 21: Cisco Technical Support Website
URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly. -
Page 22: Obtaining Additional Publications And Information
You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj World-class networking training is available from Cisco. You can view current offerings at • this URL: http://www.cisco.com/en/US/learning/index.html Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01... - Page 23 CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco...
- Page 24 Obtaining Additional Publications and Information Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01...