User Guide
Page 1
.../. AIM-VPN/EP: Hardware Version 1.0, Board Version B0; This document contains the following sections: • Introduction, page 1 • The 2621XM/2651XM Router, page 2 • Secure Operation of the Cisco 2621XM/2651XM Router, page 17 • Related Documentation, page 19 • Obtaining Documentation, page 19 • Documentation Feedback, page 20 • Obtaining Technical Assistance...
.../. AIM-VPN/EP: Hardware Version 1.0, Board Version B0; This document contains the following sections: • Introduction, page 1 • The 2621XM/2651XM Router, page 2 • Secure Operation of the Cisco 2621XM/2651XM Router, page 17 • Related Documentation, page 19 • Obtaining Documentation, page 19 • Documentation Feedback, page 20 • Obtaining Technical Assistance...
User Guide
Page 2
... to technical or sales-related questions for the FIPS-mode of operation. The Cisco 2621XM and 2651XM routers offer versatility, integration, and security to this document, the Submission Package contains:...Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the following sources: • The Cisco Systems website contains information on the Cisco Systems website at www.cisco.com. More information is part of the modules. The Cisco Cisco 2621XM and Cisco 2651XM Modular Access Routers with operations and capabilities of the Cisco 2621XM and Cisco 2651XM routers...
... to technical or sales-related questions for the FIPS-mode of operation. The Cisco 2621XM and 2651XM routers offer versatility, integration, and security to this document, the Submission Package contains:...Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the following sources: • The Cisco Systems website contains information on the Cisco Systems website at www.cisco.com. More information is part of the modules. The Cisco Cisco 2621XM and Cisco 2651XM Modular Access Routers with operations and capabilities of the Cisco 2621XM and Cisco 2651XM routers...
User Guide
Page 3
...surfaces of Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 2600 an ideal platform for the router are multiple-chip standalone cryptographic modules. Module Interfaces The interfaces for building virtual private networks or outsourced dial solutions. This ... be occupied by an installed WIC or Network Module. The cryptographic boundary is provided by the Cisco 2621XM and 2651XM routers. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to accommodate a WIC or Network Module; The AIM-VPN/EP is located inside ...
...surfaces of Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 2600 an ideal platform for the router are multiple-chip standalone cryptographic modules. Module Interfaces The interfaces for building virtual private networks or outsourced dial solutions. This ... be occupied by an installed WIC or Network Module. The cryptographic boundary is provided by the Cisco 2621XM and 2651XM routers. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to accommodate a WIC or Network Module; The AIM-VPN/EP is located inside ...
User Guide
Page 4
...card; The module also has two other RJ-45 connectors on the rear panel with descriptions detailed in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the PCI bridge in and out. mixed Token-Ring and Ethernet; Available Network Modules support multi-service voice.../data/fax integration, departmental dial concentration, and high-density serial options All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing, ideal for the power supply and a power switch. A WIC is...
...card; The module also has two other RJ-45 connectors on the rear panel with descriptions detailed in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the PCI bridge in and out. mixed Token-Ring and Ethernet; Available Network Modules support multi-service voice.../data/fax integration, departmental dial concentration, and high-density serial options All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing, ideal for the power supply and a power switch. A WIC is...
User Guide
Page 5
... booted, if the redundant power is established Figure 4 shows the front panel LEDs, which provide overall status of the router: Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 5 Figure 4 Front Panel LEDs 99496 POWER RPS ...ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1...
... booted, if the redundant power is established Figure 4 shows the front panel LEDs, which provide overall status of the router: Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 5 Figure 4 Front Panel LEDs 99496 POWER RPS ...ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1...
User Guide
Page 6
... System All of activity 1. The 2621XM/2651XM Router Table 2 Cisco 2621XM and Cisco 2651XM Front Panel LEDs and Descriptions LED Indication Description Power Green Power is supplied to the router and the router is operational RPS1 Off Green The router is not powered on RPS is attached and...physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE...
... System All of activity 1. The 2621XM/2651XM Router Table 2 Cisco 2621XM and Cisco 2651XM Front Panel LEDs and Descriptions LED Indication Description Power Green Power is supplied to the router and the router is operational RPS1 Off Green The router is not powered on RPS is attached and...physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE...
User Guide
Page 7
... providing a valid username and password. A Crypto Officer may assume: the Crypto Officer role and the User role. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 Both roles are used without repetition... Logical Interface Status Output Interface Power Interface Roles and Services Authentication is defined. See the "Secure Operation of the Cisco 2621XM/2651XM Router" section on page 17, for the configuration and maintenance of randomly guessing the correct sequence is responsible for more information...
... providing a valid username and password. A Crypto Officer may assume: the Crypto Officer role and the User role. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 Both roles are used without repetition... Logical Interface Status Output Interface Power Interface Roles and Services Authentication is defined. See the "Secure Operation of the Cisco 2621XM/2651XM Router" section on page 17, for the configuration and maintenance of randomly guessing the correct sequence is responsible for more information...
User Guide
Page 8
... Network Module slot, 2 WIC slots, on each IP range or allow access to the motherboard, memory, and expansion slots. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The IOS prompts the User for each interface. The rear of files kept in flash memory Physical Security... The router is allowed entry to the IOS executive program. The top portion of the chassis may be removed (see ...
... Network Module slot, 2 WIC slots, on each IP range or allow access to the motherboard, memory, and expansion slots. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The IOS prompts the User for each interface. The rear of files kept in flash memory Physical Security... The router is allowed entry to the IOS executive program. The top portion of the chassis may be removed (see ...
User Guide
Page 9
... the WAN interface card slot. Any attempt to remove a Network Module will leave tamper evidence. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, must ...The slot covers are recommended for NMs and WICs must be populated with each router, and additional covers may be ordered from Cisco. The same procedure mentioned below to meet FIPS 140-2 Level 2 requirements, the router cannot be accessed without signs of any grease, dirt, or oil before ...
... the WAN interface card slot. Any attempt to remove a Network Module will leave tamper evidence. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, must ...The slot covers are recommended for NMs and WICs must be populated with each router, and additional covers may be ordered from Cisco. The same procedure mentioned below to meet FIPS 140-2 Level 2 requirements, the router cannot be accessed without signs of any grease, dirt, or oil before ...
User Guide
Page 10
... of 400 bites; The tamper evidence seals provide physical protection for DH and RSA key generation. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL...
... of 400 bites; The tamper evidence seals provide physical protection for DH and RSA key generation. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL...
User Guide
Page 11
The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP ... that key. The zeroization is the same DRAM as above . (plaintext) The RSA private key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 The zeroization is the same as above... when IPSec session is related to be zeroized because it frees the public key label which in Cisco vendor ID generation. The zeroization is a public key;
The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP ... that key. The zeroization is the same DRAM as above . (plaintext) The RSA private key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 The zeroization is the same as above... when IPSec session is related to be zeroized because it frees the public key label which in Cisco vendor ID generation. The zeroization is a public key;
User Guide
Page 12
...SSH session DRAM is zeroized NVRAM by executing the "no " form of the authentication attempt. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. DRAM (plaintext) The RSA public key used as mentioned here. NVRAM (plaintext) This is terminated....in a DES algorithm for FIPS purposes. Therefore, this password is zeroized by erasing the Flash. The authentication key used by the router to zeroize this key in the DRAM and DRAM not zeroized at runtime. This password is not FIPS approved. NVRAM (plaintext) The...
...SSH session DRAM is zeroized NVRAM by executing the "no " form of the authentication attempt. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. DRAM (plaintext) The RSA public key used as mentioned here. NVRAM (plaintext) This is terminated....in a DES algorithm for FIPS purposes. Therefore, this password is zeroized by erasing the Flash. The authentication key used by the router to zeroize this key in the DRAM and DRAM not zeroized at runtime. This password is not FIPS approved. NVRAM (plaintext) The...
User Guide
Page 13
...Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access ...Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers...
...Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access ...Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers...
User Guide
Page 14
... User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 12 CSP ... 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
... User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 12 CSP ... 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
User Guide
Page 15
...Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router... Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP...
...Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router... Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP...
User Guide
Page 16
...-6262-01 All Diffie-Hellman (DH) keys agreed upon for exchanging pre-shared keys manually and entering electronically. - Note After the router recovers from being released, it is symmetric. AES KAT - Diffie-Hellman self-test - If any secure data from failure of a... - RSA signature KAT (both signature and verification) - SHA-1 KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with all the pre-shared keys. The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method that specific...
...-6262-01 All Diffie-Hellman (DH) keys agreed upon for exchanging pre-shared keys manually and entering electronically. - Note After the router recovers from being released, it is symmetric. AES KAT - Diffie-Hellman self-test - If any secure data from failure of a... - RSA signature KAT (both signature and verification) - SHA-1 KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with all the pre-shared keys. The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method that specific...
User Guide
Page 17
...EP identification. TDES KAT - Please refer to place the module in the "Physical Security" section of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 17 SHA-1 KAT • Conditional...hw_inst/aim_inst/aims _ins.pdf • The Crypto Officer must re-apply tamper evidence labels on the router as described in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on RSA signature - Conditional...
...EP identification. TDES KAT - Please refer to place the module in the "Physical Security" section of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 17 SHA-1 KAT • Conditional...hw_inst/aim_inst/aims _ins.pdf • The Crypto Officer must re-apply tamper evidence labels on the router as described in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on RSA signature - Conditional...
User Guide
Page 18
....3(3d) is optional. Configuring the module to use RADIUS or TACACS+ for the Crypto Officer role. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 System Initialization and Configuration •...algorithms are at least 8 characters and is entered when the Crypto Officer first engages the "enable" command. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no other than its default. ...
....3(3d) is optional. Configuring the module to use RADIUS or TACACS+ for the Crypto Officer role. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 System Initialization and Configuration •...algorithms are at least 8 characters and is entered when the Crypto Officer first engages the "enable" command. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no other than its default. ...
User Guide
Page 19
...uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to the following algorithms are available on Cisco.com. MD-5 HMAC Protocols All SNMP operations must configure the module so...module is configured to obtain technical assistance and other technical resources. MD-4 and MD-5 for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers Obtaining Documentation Cisco documentation and additional literature are not FIPS approved and should be performed within a secure IPSec tunnel...
...uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to the following algorithms are available on Cisco.com. MD-5 HMAC Protocols All SNMP operations must configure the module so...module is configured to obtain technical assistance and other technical resources. MD-4 and MD-5 for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers Obtaining Documentation Cisco documentation and additional literature are not FIPS approved and should be performed within a secure IPSec tunnel...
User Guide
Page 20
... assistance. Obtaining Technical Assistance For all customers, partners, resellers, and distributors who hold a valid Cisco service contract, contact your comments. The Cisco Technical Support Website on Cisco.com features extensive online support resources. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 Documentation...
... assistance. Obtaining Technical Assistance For all customers, partners, resellers, and distributors who hold a valid Cisco service contract, contact your comments. The Cisco Technical Support Website on Cisco.com features extensive online support resources. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 Documentation...