Network Modules; Wan Interface Cards; Console Port - Cisco 2621 User Manual

Network Modules and WAN Interface Cards

Network Modules

When a network module is inserted, it fits into an adapter called the network module expansion bus. The
expansion bus interacts with the PCI bridge in the same way that the fixed LAN ports do; therefore, no
critical security parameters pass through the network module (just as they don't pass through the LAN
ports).
The Advanced Interface Module (AIM) socket, which contains the cryptographic accelerator card,
interacts with only the PCI bridge. There is no direct interaction between the AIM socket and the
network module expansion bus, just as there is no interaction between the fixed AIM socket and the fixed
LAN ports. Furthermore, network modules do not perform any cryptographic functions.
The Cisco 2651 block diagram clearly depicts the distinction between the network module slot and the
AIM socket. The block diagram for the crypto card clearly delineates that the network modules and
network module expansion bus have no direct interaction with the crypto card. Therefore, no security
parameters pass through the network module expansion bus to the crypto card or vice versa.
The expansion bus for the network module card is inside the cryptographic boundary, but it services only
the network modules (physical interfaces) and has no effect on the cryptographic processing of the
module. If the expansion bus were at the router's cryptographic boundary (as opposed to being inside the
boundary), the same principles would apply. While the cryptographic boundary is drawn at the router
case, adding and removing network modules will not compromise the security of the router.
As described in the
module. If someone other than the Crypto Officer attempts to change a network module, the stickers over
the network module slot will indicate tamper evidence. Thus, only valid network modules will be used
and only the proper authority may change them. The
instructions to change network modules in a FIPS-approved manner.

WAN Interface Cards

WICs are similar to network modules in that they greatly increase the router's flexibility. The WICs are
inserted into one of two slots, which are located above the fixed LAN ports. WICs interface directly with
the processor. They do not interface with the cryptographic card; therefore no security parameters will
pass through them. WICs cannot perform cryptographic functions; they only serve as a data input and
data output physical interface. Please refer to the block diagrams for further reference. Only the Crypto
Officer may change WICs, and they must follow the same guidelines for changing network modules (see
the

Console Port

Additionally, the console port does not directly interface with the network modules, the WICs, or the
AIM socket; therefore, no critical security parameters will be passed over the network modules, WICs,
or cryptographic processing card from the terminal.
Conclusion
Network modules and WAN Interface Cards do not affect the cryptographic processing of the router, nor
are they privy to any security parameters contained in the router's cryptographic card. The following
table describes the input data types and output data types of network modules and WICs:
Cisco 2651 Modular Access Router Security Policy
12
"Roles and Services" section on page
"Physical Security" section on page
6, only a Crypto Officer may replace a network
"Physical Security" section on page 7
7).
provides
78-13697-01