Cisco 2811 - Voice Security Bundle Router Operations
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. 2811 - Voice Security Bundle Router
  6. Operations
Cisco 2811 - Voice Security Bundle Router Operations

Cisco 2811 - Voice Security Bundle Router Operations

Integrated services routers with aim-vpn/epii-plus
Hide thumbs Also See for 2811 - Voice Security Bundle Router:
Table of Contents

Advertisement

Quick Links

See also: Manual
Cisco 2811 and Cisco 2821
Integrated Services Routers
with
AIM-VPN/EPII-Plus
FIPS 140-2 Non Proprietary Security Policy
Level 2 Validation
Version 1.6
September 08, 2008
© Copyright 2007 Cisco Systems, Inc.
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Advertisement

Table of Contents
loading

Related Manuals for Cisco 2811 - Voice Security Bundle Router

Summary of Contents for Cisco 2811 - Voice Security Bundle Router

  • Page 1 Integrated Services Routers with AIM-VPN/EPII-Plus FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 1.6 September 08, 2008 © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • Page 2: Table Of Contents

    Self-tests performed by the IOS image ............27 2.6.2 Self-tests performed by NetGX Chip ............27 2.6.3 Self-tests performed by AIM ................ 28 SECURE OPERATION OF THE CISCO 2811 OR 2821 ROUTER ......28 3.1 I ........................28 NITIAL ETUP 3.2 S...

  • Page 3: Introduction

    (http://csrc.nist.gov/groups/STM/cmvp/validation.html) contains contact information for answers to technical or sales-related questions for the module. Terminology In this document, the Cisco 2811 or 2821 routers are referred to as the router, the module, or the system. Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this...
  • Page 4 FIPS-mode of operation. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate non- disclosure agreements. For access to these documents, please contact Cisco Systems. © Copyright 2007 Cisco Systems, Inc.

  • Page 5: Cisco 2811 And 2821 Routers

    The Cisco 2811 and 2821 routers provide a scalable, secure, manageable remote access server that meets FIPS 140-2 Level 2 requirements. This section describes the general features and functionality provided by the routers.
  • Page 6 Figure 3 – Rear Panel Physical Interfaces The Cisco 2811 router features a console port, an auxiliary port, two Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two10/100 Gigabit Ethernet RJ45 ports, an Enhanced Network Module (ENM) slot, and a Compact Flash (CF) drive. The 2811...
  • Page 7 FIPS 140-2 Logical Interface 10/100 Ethernet LAN Ports Data Input Interface HWIC Ports Console Port Auxiliary Port ENM Slot USB Ports © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • Page 8: The 2821 Cryptographic Module Physical Characteristics

    350MHz. Depending on configuration, either installed AIM-VPN/EPII-Plus card or the internal NetGX chip or the IOS software is used for cryptographic operations. © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 9 Figure 5 – 2821 Front Panel Physical Interfaces Figure 6 – 2821 Rear Panel Physical Interfaces The Cisco 2821 router features a console port, an auxiliary port, two Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two10/100 Gigabit Ethernet RJ45 ports, a Enhanced Network Module (ENM) slot, a Voice Network Module (VeNoM) slot, and a Compact Flash (CF) drive.
  • Page 10 AIM1 installed and initialized Solid Orange AIM1 installed and initialized error AIM0 AIM0 not installed Solid Green AIM0 installed and initialized © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 11 AIM LEDs PVDM LEDs Power LED Activity LEDs Auxiliary LED Compact Flash LED Console Port Auxiliary Port USB Ports © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • Page 12: Roles And Services

    Tamper evident seal will be placed over the card in the drive. 2.3 Roles and Services Authentication in Cisco 2811 and 2821 is role-based. There are two main roles in the router that operators can assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services.

  • Page 13: Unauthenticated Services

    Viewing the status output from the module’s LEDs Powering the module on and off using the power switch Sending packets in bypass © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • Page 14: Strength Of Authentication

    AIM slot, and expansion slots. The Cisco 2811 and 2821 routers require that a special opacity shield be installed over the side air vents in order to operate in FIPS-approved mode. The shield decreases the surface area of the vent holes, reducing visibility within the cryptographic boundary to FIPS-approved specifications.
  • Page 15 To seal the system, apply serialized tamper- evidence labels as follows: For Cisco 2811: © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 16 Figure 9 – 2811 Tamper Evident Label Placement (Back View) Figure 10 – 2811 Tamper Evident Label Placement (Front View) © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 17 7. The labels completely cure within five minutes. Figures 12, 13 and 14 show the additional tamper evidence label placements for the 2821. © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 18 Figure 12 – Cisco 2821 Tamper Evident Label Placement (Back View) Figure 13 – Cisco 2821 Tamper Evident Label Placement (Front View) Figure 14 – Cisco 2821 Tamper Evident Label Placement on the Opacity Shield © Copyright 2007 Cisco Systems, Inc.

  • Page 19: Cryptographic Key Management

    1536 and 2048 bits. Therefore, the Diffie Hellmann Key agreement, key establishment methodology provides between 80-bits and 96-bits of encryption strength per NIST 800-57. RSA © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 20 “Clear Crypto IPSec SA” will zeroize the Triple-DES/AES session key (which is derived using the Diffie-Hellman key agreement technique) from the DRAM. This session key is only © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 21 TRIPLE- The ISAKMP security association DRAM Automatically after IKE DES/AES encryption key. session terminated. © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 22 AAA server and sends it onto the peer. The password retrieved from the © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 23 “# no radius-server key” secret shared secret is zeroized by executing the “no radius-server key” command. secret_1_0_0 The fixed key used in Cisco vendor NVRAM Deleted by erasing the ID generation. This key is Flash. embedded in the module binary image and can be deleted by erasing the Flash.
  • Page 24 PRNG Seed Key Diffie Hellman private exponent Diffie Hellman public skeyid skeyid_d skeyid_a skeyid_e IKE session encrypt IKE session authentication key © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 25 PPP authentication key Router authentication key 2 SSH session key User password Enable password Enable secret RADIUS secret secret_1_0_0 © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 26 TLS server public key TLS pre-master secret TLS Encryption Key TLS Integrity Key Table 6 – Role and Service Access to CSP © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • Page 27: Self-Tests

    Continuous random number generation test for approved and non- approved RNGs. 2.6.2 Self-tests performed by NetGX Chip o POST tests © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • Page 28: Self-Tests Performed By Aim

    Continuous RNG test for the hardware RNG Secure Operation of the Cisco 2811 or 2821 router The Cisco 2811 and 2821 routers meet all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS-approved mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation.

  • Page 29: System Initialization And Configuration

    3. The following algorithms are not FIPS approved and should not be used during FIPS- approved mode: MD-5 for signing MD-5 HMAC © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • Page 30: Protocols

    The Crypto officer must configure the module so that SSH uses only FIPS- approved algorithms. Note that all users must still authenticate after remote access is granted. © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
  • Page 31 CISCO EDITOR’S NOTE: You may now include all standard Cisco information included in all documentation produced by Cisco. Be sure that the following line is in the legal statements at the end of the document: By printing or making a copy of this document, the user agrees to use this information for product evaluation purposes only.

This manual is also suitable for:

28112821

Table of Contents