Cisco 2811 Operations
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. 2811 Series
  6. Operations

Cisco 2811 Operations

Integrated services router fips 140-2 non proprietary security policy
Hide thumbs Also See for 2811:
Table of Contents

Advertisement

Quick Links

See also: User Manual
Cisco 2811 and Cisco 2821 Integrated Services
Router FIPS 140-2 Non Proprietary Security
Policy
Level 2 Validation
Version 1.3
November 23, 2005
Introduction
This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 2811 and
Cisco 2821 Integrated Services Router without an AIM card installed. This security policy describes
how the Cisco 2811 and Cisco 2821 Integrated Services Router (Hardware Version: 2811 or 2821;
Firmware Version: 12.3(11)T03) meet the security requirements of FIPS 140-2, and how to operate the
router enabled in a secure FIPS 140-2 mode. This policy was prepared aspart of the Level 2 FIPS 140-2
validation of the Cisco 2811 or Cisco 2821 Integrated Services Router.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2—Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at
http://csrc.nist.gov/cryptval/.
This document contains the following sections:
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2005 Cisco Systems, Inc. All rights reserved.
Introduction, page 1
Cisco 2811 and Cisco 2821 Routers, page 2
Secure Operation of the Cisco 2811 or Cisco 2821 router, page 22
Related Documentation, page 23
Obtaining Documentation, page 24
Documentation Feedback, page 25
Cisco Product Security Overview, page 25
Obtaining Technical Assistance, page 26

Advertisement

Table of Contents
loading

Related Manuals for Cisco 2811

Summary of Contents for Cisco 2811

  • Page 1 Cisco 2821 Integrated Services Router without an AIM card installed. This security policy describes how the Cisco 2811 and Cisco 2821 Integrated Services Router (Hardware Version: 2811 or 2821; Firmware Version: 12.3(11)T03) meet the security requirements of FIPS 140-2, and how to operate the router enabled in a secure FIPS 140-2 mode.

  • Page 2: Document Organization

    • for answers to technical or sales-related questions for the module. Terminology In this document, the Cisco 2811 or Cisco 2821 routers are referred to as the router, the module, or the system. Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this...
  • Page 3 Figure 3 Cisco 2811 Rear Panel Physical Interfaces The Cisco 2811 router features a console port, an auxiliary port, two Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two10/100 Gigabit Ethernet RJ45 ports, an Enhanced Network Module (ENM) slot, and a Compact Flash (CF) drive. The Cisco 2811 router supports one...
  • Page 4 1. However, an AIM module may not be installed in accordance with this security policy. There is a separate security policy covering the Cisco 2811 and Cisco 2821 routers with AIM module installed. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy...
  • Page 5 Speed Link The physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the Table Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8663-01 Cisco 2811 Rear Panel Indicators State...
  • Page 6 The card itself must never be removed from the drive. Tamper evident seal will be placed over the card in the drive. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy FIPS 140-2 Logical Interface...
  • Page 7 The interfaces for the router are located on the front and rear panel as shown in respectively. Figure 5 Cisco 2821 Front Panel Physical Interfaces Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8663-01 CO NS OL AU X...
  • Page 8 AIM1 AIM0 The Cisco 2821 router features a console port, an auxiliary port, two Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two10/100 Gigabit Ethernet RJ45 ports, a Enhanced Network Module (ENM) slot, a Voice Network Module (VeNoM) slot, and a Compact Flash (CF) drive.
  • Page 9 Table 7 describes the meaning of Ethernet LEDs on the front panel: Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8663-01 provide more detailed information conveyed by the LEDs on the front and rear panel...
  • Page 10 VeNoM Slot 10/100 Ethernet LAN Ports HWIC Ports Power Switch Console Port Auxiliary Port ENM Slot Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy State Description Not receiving packets Solid/Blinking Green Receiving packets Half-Duplex...

  • Page 11: Roles And Services

    Tamper evident seal will be placed over the card in the drive. Roles and Services Authentication in Cisco 2811 and Cisco 2821 is role-based. There are two main roles in the router that operators can assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services.

  • Page 12: Physical Security

    The tamper evidence label should be placed so that the one half of the label covers the enclosure and the Step 4 other half covers the port adapter slot. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8663-01...
  • Page 13 The tamper evidence label should be placed so that the one half of the label covers the enclosure and the Step 4 other half covers the port adapter slot. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8663-01 show the tamper evidence label placements for the Cisco 2811.

  • Page 14: Cryptographic Key Management

    Officer. All zeroization consists of overwriting the memory that stored the key. Keys are exchanged and entered electronically or via Internet Key Exchange (IKE). Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy show the tamper evidence label placements for the Cisco 2821.

  • Page 15: Key Zeroization

    DRAM; therefore this command will completely zeroize this key. The following command will zeroize the pre-shared keys from the DRAM: Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8663-01 Cisco 2811 and Cisco 2821 Routers...
  • Page 16 /AES IKE session HMAC- The IKE session authentication key. authentication SHA-1 or DES MAC Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy Zeroization Storage Method DRAM Automatically every (plaintext) 400 bytes, or turn off the router.
  • Page 17 The plaintext password of the CO role. This password Secret password is zeroized by overwriting it with a new password. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8663-01 Cisco 2811 and Cisco 2821 Routers NVRAM “# no crypto isakmp (plaintext ) key”...
  • Page 18 SRDI/Role/Service Access Policy Security Relevant Data Item PRNG Seed DH private exponent DH public key Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy Role and Service Access to CSP NVRAM Overwrite with new (plaintext)
  • Page 19 IKE session authentication key ISAKMP preshared IKE hash key secret_1_0_0 IPSec encryption key Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8663-01 Role and Service Access to CSP (Continued) Cisco 2811 and Cisco 2821 Routers...
  • Page 20 PPP Authentication key Router authentication key 2 SSH session key User password Enable password Enable secret RADIUS secret TACACS+ secret Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy Role and Service Access to CSP (Continued) OL-8663-01...
  • Page 21 IPSec, and a continuous random number generator test. If any of the self-tests fail, the router transitions into an error state. In the error state, all secure data transmission is halted and the router outputs status information indicating the failure.

  • Page 22: Initial Setup

    Secure Operation of the Cisco 2811 or Cisco 2821 router The Cisco 2811 and Cisco 2821 routers meet all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS-approved mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation.

  • Page 23: Ipsec Requirements And Cryptographic Algorithms

    Note that all users must still authenticate after remote access is granted. Related Documentation For more information about the Cisco 2811 and Cisco 2821 Integrated Services Routers, refer to the following documents: Cisco 2800 Series Integrated Services Routers Quick Start Guides •...

  • Page 24: Obtaining Documentation

    Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available.

  • Page 25: Documentation Feedback

    Register to receive security information from Cisco. • A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html...

  • Page 26: Obtaining Technical Assistance

    Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &...

  • Page 27: Submitting A Service Request

    Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
  • Page 28 Obtaining Additional Publications and Information Cisco Press publishes a wide range of general networking, training and certification titles. Both new • and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com...
  • Page 29 Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the...
  • Page 30 Obtaining Additional Publications and Information Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy OL-8663-01...

This manual is also suitable for:

2821

Table of Contents