Cisco 7606 User Manual
User guide
Hide thumbs
Also See for 7606:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Catalyst 6509 Switch, Cisco 7606 Router, and
Cisco 7609 Router with VPN Services Module
Certification Note
This is the non-proprietary Cryptographic Module Security Policy for the Catalyst 6509 switch and the
Cisco 7606 and Cisco 7609 routers with the VPN Services Module:
Hardware Version
•
Catalyst 6509 switch
–
Cisco 7606 router
–
–
Cisco 7609 router
Backplane chassis
•
Hardware Version 3.0 (Catalyst 6509 switch)
–
Hardware Version 1.0 (Cisco 7606 router)
–
Hardware Version 1.0 (Cisco 7609 router)
–
Supervisor Engine—Hardware Version 3.2
•
VPN Services Module—Hardware Version 1.2; Firmware Version; 12.2(14)SY3
•
This security policy describes how the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers
with the VPN Services Module meet the security requirements of FIPS 140-2, and describes how to
operate the hardware devices in a secure FIPS 140-2 mode. This policy was prepared as part of the
Level 2 FIPS 140-2 validation of the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers
with the VPN Services Module.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2—Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at
http://csrc.nist.gov/cryptval/.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2005 Cisco Systems, Inc. All rights reserved.
Advertisement
Table of Contents
Related Manuals for Cisco 7606
Summary of Contents for Cisco 7606
- Page 1 FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers with the VPN Services Module.
-
Page 2: Table Of Contents
Cryptographic Key Management, page 21 • Key Zeroization, page 25 • Self-Tests, page 25 Secure Operation of the Catalyst 6509 Switch and the Cisco 7606 and Cisco 7609 Routers, page 26 • Obtaining Documentation and Submitting a Service Request, page 28 • References... -
Page 3: Document Organization
Other supporting documentation as additional references • This publication provides an overview of the Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers and explains the secure configuration and operation of the modules. This introduction section is followed by the “Catalyst 6509 Switch and Cisco 7606 and Cisco 7609... -
Page 4: Catalyst 6509 Switch And Cisco 7606 And Cisco 7609 Routers
The Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers with the VPN Services Module offer versatility, integration, and security to branch offices. With numerous network modules and service modules available, the modular architecture of the Cisco router easily allows interfaces to be upgraded to accommodate network expansion. -
Page 5: Catalyst 6509 Switch And Cisco 7606 And Cisco 7609 Routers
OSM-4OC 12 POS-SI 4 PORT OC-12 POS SM OSM-4OC 12 POS-SI 4 PORT OC-12 POS SM Slots 1-6 Fan assembly (top to bottom) Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01... -
Page 6: Catalyst 6509/Cisco 7606/Cisco 7609 Cryptographic Module
The connection apparatus between the network module or service module and the motherboard and • daughterboard that hosts the network module or service module. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01... - Page 7 The Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers incorporate a single VPN Services Module cryptographic accelerator card. The VPN Services Module is installed in a chassis module slot.
- Page 8 The link has been disabled by software. Flashing The link is bad and has been disabled due to a hardware failure. Orange No signal is detected. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01...
- Page 9 Network and service module interfaces Console port Compact flash (PCMCIA) slot Ethernet ports Control input interface Network and service module interfaces Console port Reset button Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01...
-
Page 10: Roles And Services
Catalyst 6509 switch and the Cisco 7606 and Cisco 7609 routers can be found in the Performing Basic System Management manual and in the online help for the switch or the router. - Page 11 A user enters the system by accessing the console port with a terminal program. Cisco IOS prompts the user for their password. If the password is correct, the user is allowed entry to the Cisco IOS executive program. The user services consist of the following: Status functions—Views state of interfaces, state of Layer 2 protocols, and version of Cisco IOS...
-
Page 12: Installing The Opacity Shield On The Catalyst 6509 Switch
Press the opacity shield firmly against the side of the chassis and secure the opacity shield to the chassis Step 9 with the two thumbscrews. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01... -
Page 13: Installing The Opacity Shield On The Catalyst 6509 Switch
If you need to remove the Catalyst 6509 chassis from the rack, you must first remove the opacity shield. With the opacity shield installed, the chassis is too wide to slide out of the rack. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01... - Page 14 EJECT SUPERVISOR2 STATUS INPUT OUTPUT FAIL INPUT OUTPUT FAIL M-4 snap rivet Chassis shown removed from rack for clarity M-4 snap rivet sleeve Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01...
-
Page 15: Installing The Opacity Shield On The Cisco 7600 Series Routers
6), follow these steps: Step 1 The opacity shield is designed to be installed on a Cisco 7606 chassis that is already rack-mounted. If your Cisco 7606 chassis is not rack-mounted, install the chassis in the rack using the procedures contained in the Cisco 7600 Series Router Installation Guide. -
Page 16: Installing The Opacity Shield On The Cisco 7600 Series Routers
If you need to remove the Catalyst 6509 chassis from the rack, you must first remove the opacity shield. With the opacity shield installed, the chassis is too wide to slide out of the rack. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01... - Page 17 PORT MODE PORT 1 CONSOLE SUPERV ISOR2 PORT 2 PCMCIA EJECT Chassis shown removed from rack for clarity Snap rivet Snap rivet sleeve Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01...
-
Page 18: Physical Security
The router is entirely encased by a thick steel chassis. Nine module slots are provided on the Catalyst 6509 switch and the Cisco 7609 router; six module slots are provided on the Cisco 7606 router. On-board LAN connectors and console connectors are provided on the supervisor engines, and the power cable connection and a power switch are provided on the power supply of both models. - Page 19 • For the Cisco 7606 router chassis only, place one label so that one half of the label adheres to the bottom of the opacity shield and the other half adheres to the bottom of the chassis.
- Page 20 Cisco 7609 Router Chassis Tamper Evidence Label Placement POWE R SUPP LY 1 POWE R SUPP LY 2 INPUT OUTPUT FAIL INPUT OUTPUT FAIL Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01...
-
Page 21: Cryptographic Key Management
The IKE session authentication key. It is zeroized when DRAM an IKE session is terminated. (plaintext) crypto_private_key The RSA private key. The crypto key zeroize command NVRAM zeroizes this key. (plaintext) Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01... -
Page 22: Cryptographic Key Management
The key used to encrypt values of the configuration file. NVRAM This key is zeroized when the command no key (plaintext) config-key is issued. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01... - Page 23 DRAM (plaintext) Table 4 lists the services accessing the CSPs, the type of access and which role accesses the CSPs. Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01...
- Page 24 • HMAC • DES MAC • Triple-DES MAC MD5 HMAC • Diffie-Hellman • RSA [for digital signatures and encryption/decryption (for IKE authentication)] • Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01...
-
Page 25: Key Zeroization
RSA signature Known Answer Test (KAT) (both signature and verification) – DES KAT – TDES KAT – AES KAT – SHA-1 KAT – Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note OL-6334-01... -
Page 26: Secure Operation Of The Catalyst 6509 Switch And The Cisco 7606 And Cisco 7609 Routers
Cisco 7606 and Cisco 7609 Routers The Catalyst 6509 switch and the Cisco 7606 router and the Cisco 7609 router with the VPN Services Module meets all the Level 2 requirements for FIPS 140-2. Follow the setting guidelines provided in the following sections to place the module in a FIPS-approved mode of operation. - Page 27 RADIUS or TACACS+, the Crypto-Officer must define RADIUS or TACACS+ shared secret keys that are at least 8 characters long. If the crypto officer loads any Cisco IOS image onto the switch or router, this will put the switch or •...
-
Page 28: Obtaining Documentation And Submitting A Service Request
Cisco currently supports RSS Version 2.0. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified...