User Guide
Page 1
... 140-2 mode. FIPS 140-2 (Federal Information Processing Standards Publication 140-2-Security Requirements for cryptographic modules. Government requirements for Cryptographic Modules) details the U.S. All rights reserved. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP. Cisco Systems, Inc. Firmware Version: IOS 12.3(3d)) meet the security requirements of the 2621XM and 2651XM...
... 140-2 mode. FIPS 140-2 (Federal Information Processing Standards Publication 140-2-Security Requirements for cryptographic modules. Government requirements for Cryptographic Modules) details the U.S. All rights reserved. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP. Cisco Systems, Inc. Firmware Version: IOS 12.3(3d)) meet the security requirements of the 2621XM and 2651XM...
User Guide
Page 2
... Security Policy document is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the following sources: • The Cisco Systems website contains information on the Cisco Systems website at www.cisco.com. The Cisco 2621XM and 2651XM routers offer versatility, integration, and security to ... Modules (NMs) and WAN Interface Cards (WICs), the modular architecture of the Cisco router easily allows interfaces to be found at: http://www.cisco.com/en/US/products/hw/routers/ps221/index.html • For answers to technical or sales related questions please refer...
... Security Policy document is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the following sources: • The Cisco Systems website contains information on the Cisco Systems website at www.cisco.com. The Cisco 2621XM and 2651XM routers offer versatility, integration, and security to ... Modules (NMs) and WAN Interface Cards (WICs), the modular architecture of the Cisco router easily allows interfaces to be found at: http://www.cisco.com/en/US/products/hw/routers/ps221/index.html • For answers to technical or sales related questions please refer...
User Guide
Page 3
... within this document is provided by components within the case that would be occupied by the Cisco 2621XM and 2651XM routers. All of the case; The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card. The AIM-VPN/EP is located inside the...defined as encompassing the "top," "front," "left," "right," and "bottom" surfaces of the functionality discussed in Figure 2. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to 30 thousand packets per second (Kpps) throughput capacity for the 2621XM, and 40 Kpps for building virtual private networks...
... within this document is provided by components within the case that would be occupied by the Cisco 2621XM and 2651XM routers. All of the case; The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card. The AIM-VPN/EP is located inside the...defined as encompassing the "top," "front," "left," "right," and "bottom" surfaces of the functionality discussed in Figure 2. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to 30 thousand packets per second (Kpps) throughput capacity for the 2621XM, and 40 Kpps for building virtual private networks...
User Guide
Page 4
.... The module also has two other RJ-45 connectors on the rear panel with descriptions detailed in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the PCI bridge in that the fixed LAN ports do; WICs are located above the fixed LAN ports.... integrated CSU/DSU options for back-up WAN connectivity. WICs interface directly with the cryptographic card; The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL 0...
.... The module also has two other RJ-45 connectors on the rear panel with descriptions detailed in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the PCI bridge in that the fixed LAN ports do; WICs are located above the fixed LAN ports.... integrated CSU/DSU options for back-up WAN connectivity. WICs interface directly with the cryptographic card; The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL 0...
User Guide
Page 5
The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED ...100BASE-T Ethernet 0/0 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) 99495 Table 1 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions LED LINK FDX 100 Mbps Indication Green Off Green Off Green Off Description ...router's operation. The front panel displays whether or not the router is booted, if the redundant power is established Figure 4 shows the front panel LEDs, which provide overall status of the router: Cisco 2621XM and Cisco 2651XM Modular Access Routers...
The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED ...100BASE-T Ethernet 0/0 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) 99495 Table 1 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions LED LINK FDX 100 Mbps Indication Green Off Green Off Green Off Description ...router's operation. The front panel displays whether or not the router is booted, if the redundant power is established Figure 4 shows the front panel LEDs, which provide overall status of the router: Cisco 2621XM and Cisco 2651XM Modular Access Routers...
User Guide
Page 6
...System All of activity 1. The 2621XM/2651XM Router Table 2 Cisco 2621XM and Cisco 2651XM Front Panel LEDs and Descriptions LED Indication Description Power Green Power is supplied to the router and the router is operational RPS1 Off Green The router is not powered on RPS is attached and ...physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE...
...System All of activity 1. The 2621XM/2651XM Router Table 2 Cisco 2621XM and Cisco 2651XM Front Panel LEDs and Descriptions LED Indication Description Power Green Power is supplied to the router and the router is operational RPS1 Off Green The router is not powered on RPS is attached and ...physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE...
User Guide
Page 7
... TACACS+ for more information. See the "Secure Operation of the Cisco 2621XM/2651XM Router" section on page 17, for authentication and they are used in the FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-...User role. There are authenticated by providing a valid User username and password. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface LAN Port LEDs 10/100BASE...
... TACACS+ for more information. See the "Secure Operation of the Cisco 2621XM/2651XM Router" section on page 17, for authentication and they are used in the FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-...User role. There are authenticated by providing a valid User username and password. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface LAN Port LEDs 10/100BASE...
User Guide
Page 8
...the WAN interface slot as protocol ID, addresses, ports, TCP connection establishment, or packet direction. • Status Functions-view the router configuration, routing tables, active sessions, use Gets to view SNMP MIB II statistics, health, temperature, memory status, voltage, packet statistics... Services A User enters the system by a thick steel chassis. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The IOS prompts the User for IP tunneling. The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied...
...the WAN interface slot as protocol ID, addresses, ports, TCP connection establishment, or packet direction. • Status Functions-view the router configuration, routing tables, active sessions, use Gets to view SNMP MIB II statistics, health, temperature, memory status, voltage, packet statistics... Services A User enters the system by a thick steel chassis. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The IOS prompts the User for IP tunneling. The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied...
User Guide
Page 9
... the WAN interface card slot. The tamper evidence label should be placed so that one half of the router. Cisco 2621XM and Cisco 2651XM Modular Access Routers with each router, and additional covers may be ordered from Cisco. The tamper evidence label should be placed so that the one half of the label covers the enclosure...
... the WAN interface card slot. The tamper evidence label should be placed so that one half of the router. Cisco 2621XM and Cisco 2651XM Modular Access Routers with each router, and additional covers may be ordered from Cisco. The tamper evidence label should be placed so that the one half of the label covers the enclosure...
User Guide
Page 10
... CSP Name 1 CSP 1 2 CSP 2 3 CSP 3 Description Storage This is stored in Diffie-Hellman (DH) exchange. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL 0 WIC CONN ... updated periodically after DH shared secret has been generated. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. Tamper evidence seals can turn off the router to verify that the module has not been tampered. This key is...
... CSP Name 1 CSP 1 2 CSP 2 3 CSP 3 Description Storage This is stored in Diffie-Hellman (DH) exchange. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL 0 WIC CONN ... updated periodically after DH shared secret has been generated. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. Tamper evidence seals can turn off the router to verify that the module has not been tampered. This key is...
User Guide
Page 11
... IKE skeyid during preshared-key authentication. Zeroized using the same mechanism as above DRAM (plaintext) The IKE session encrypt key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 Zeroized when IPSec session is related to be zeroized...
... IKE skeyid during preshared-key authentication. Zeroized using the same mechanism as above DRAM (plaintext) The IKE session encrypt key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 Zeroized when IPSec session is related to be zeroized...
User Guide
Page 12
...(plaintext) This is in DRAM. NVRAM (plaintext) The plaintext password of the SSH session. This password is used in SSH. The router itself to the peer. The authentication key used as an authentication key. Therefore, this password is zeroized by executing the "no key config...password is used as this key) from the local database (on the router itself to #22 except that is zeroized by erasing the Flash. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. However, it is zeroized upon completion of the ...
...(plaintext) This is in DRAM. NVRAM (plaintext) The plaintext password of the SSH session. This password is used in SSH. The router itself to the peer. The authentication key used as an authentication key. Therefore, this password is zeroized by executing the "no key config...password is used as this key) from the local database (on the router itself to #22 except that is zeroized by erasing the Flash. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. However, it is zeroized upon completion of the ...
User Guide
Page 13
...Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access ...Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers...
...Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access ...Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers...
User Guide
Page 14
... User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 12 CSP ... 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
... User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 12 CSP ... 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
User Guide
Page 15
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router... Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP...
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router... Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP...
User Guide
Page 16
... a security module to insure all the pre-shared keys. SHA-1 KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with Diffie-Hellman key agreement technique to the Description column of the self-tests fail, the router transitions into an error state. DES/3DES/AES key and HMAC-SHA-1 key are directly...
... a security module to insure all the pre-shared keys. SHA-1 KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with Diffie-Hellman key agreement technique to the Description column of the self-tests fail, the router transitions into an error state. DES/3DES/AES key and HMAC-SHA-1 key are directly...
User Guide
Page 17
...Firmware integrity test - Pairwise consistency test on chassis disassembly and reassembly, and AIM-VPN/EP identification. TDES KAT - Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on RSA signature - Conditional bypass test -...evidence label, the Crypto Officer should remove the entire label from the FIPS approved mode of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 17 Follow the ...
...Firmware integrity test - Pairwise consistency test on chassis disassembly and reassembly, and AIM-VPN/EP identification. TDES KAT - Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on RSA signature - Conditional bypass test -...evidence label, the Crypto Officer should remove the entire label from the FIPS approved mode of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 17 Follow the ...
User Guide
Page 18
... ah-sha-hmac - Configuring the module to use RADIUS or TACACS+ for authentication is required for authentication. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 The password must be at least 8... characters) to users. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no other than its default. ...
... ah-sha-hmac - Configuring the module to use RADIUS or TACACS+ for authentication is required for authentication. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 The password must be at least 8... characters) to users. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no other than its default. ...
User Guide
Page 19
...-01 19 esp-aes • The following documents: • Cisco 2600 Series Modular Routers Quick Start Guide • Cisco 2600 Series Hardware Installation Guide • Software Configuration Guide for signing - MD-4 and MD-5 for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers Obtaining Documentation Cisco documentation and additional literature are secured through IPSec. • SSH...
...-01 19 esp-aes • The following documents: • Cisco 2600 Series Modular Routers Quick Start Guide • Cisco 2600 Series Hardware Installation Guide • Software Configuration Guide for signing - MD-4 and MD-5 for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers Obtaining Documentation Cisco documentation and additional literature are secured through IPSec. • SSH...
User Guide
Page 20
...Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. The Cisco Technical Support Website on Cisco.com features extensive online support resources. If you do not hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. You can... Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by writing to bug-doc@cisco.com. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 Obtaining Technical Assistance For all ...
...Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. The Cisco Technical Support Website on Cisco.com features extensive online support resources. If you do not hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. You can... Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by writing to bug-doc@cisco.com. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 Obtaining Technical Assistance For all ...