User Guide
Page 1
...Obtaining Additional Publications and Information, page 22 Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Copyright © 2001. This security policy describes how the 2621XM and 2651XM routers (Hardware Version: 2621XM, 2651XM; This document contains the following sections: •... Access Routers with AIM-VPN/EP. Government requirements for Cryptographic Modules) details the U.S. All rights reserved. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version ...
...Obtaining Additional Publications and Information, page 22 Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Copyright © 2001. This security policy describes how the 2621XM and 2651XM routers (Hardware Version: 2621XM, 2651XM; This document contains the following sections: •... Access Routers with AIM-VPN/EP. Government requirements for Cryptographic Modules) details the U.S. All rights reserved. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version ...
User Guide
Page 2
... explains the secure configuration and operation of the FIPS 140-2 Submission Package. The Cisco Cisco 2621XM and Cisco 2651XM Modular Access Routers with operations and capabilities of the Cisco 2621XM and Cisco 2651XM routers in the technical terms of the Cisco 2621XM and 2651XM routers. The 2621XM/2651XM Router References This document deals only with AIM-VPN/EP FIPS 140...
... explains the secure configuration and operation of the FIPS 140-2 Submission Package. The Cisco Cisco 2621XM and Cisco 2651XM Modular Access Routers with operations and capabilities of the Cisco 2621XM and Cisco 2651XM routers in the technical terms of the Cisco 2621XM and 2651XM routers. The 2621XM/2651XM Router References This document deals only with AIM-VPN/EP FIPS 140...
User Guide
Page 3
...the functionality discussed in Figure 2. All of the three-dimensional space within the case that would be occupied by the Cisco 2621XM and 2651XM routers. Cisco IOS features such as tunneling, data encryption, and termination of the remote branch office, achieving wire speed Ethernet to ...access server that hosts the WIC or Network Module, but the boundary does not include the WIC or Network Module itself. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to accommodate a WIC or Network Module; This section describes the general features and functionality provided...
...the functionality discussed in Figure 2. All of the three-dimensional space within the case that would be occupied by the Cisco 2621XM and 2651XM routers. Cisco IOS features such as tunneling, data encryption, and termination of the remote branch office, achieving wire speed Ethernet to ...access server that hosts the WIC or Network Module, but the boundary does not include the WIC or Network Module itself. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to accommodate a WIC or Network Module; This section describes the general features and functionality provided...
User Guide
Page 4
...cryptographic card; The module also has two other RJ-45 connectors on the rear panel with descriptions detailed in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the PCI bridge in the same way that they only serve as they don't pass through...10/100 Mbps auto-sensing Ethernet; The physical interfaces include a power plug for back-up WAN connectivity. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL ...
...cryptographic card; The module also has two other RJ-45 connectors on the rear panel with descriptions detailed in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the PCI bridge in the same way that they only serve as they don't pass through...10/100 Mbps auto-sensing Ethernet; The physical interfaces include a power plug for back-up WAN connectivity. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL ...
User Guide
Page 5
...RPS ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1 CONN SERIAL...-T Ethernet 0/1 (RJ-45) 10/100BASE-T Ethernet 0/0 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) 99495 Table 1 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions LED LINK FDX 100 Mbps Indication Green Off Green Off Green Off Description An Ethernet link has been established...
...RPS ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1 CONN SERIAL...-T Ethernet 0/1 (RJ-45) 10/100BASE-T Ethernet 0/0 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) 99495 Table 1 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions LED LINK FDX 100 Mbps Indication Green Off Green Off Green Off Description An Ethernet link has been established...
User Guide
Page 6
... level of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary ... Module Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01 RPS = Redundant...
... level of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary ... Module Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01 RPS = Redundant...
User Guide
Page 7
...by providing a valid Crypto Officer username and password. A Crypto Officer may assume: the Crypto Officer role and the User role. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 The administrator of the ... main roles in the online help for an 8 digit PIN, the probability of the Cisco 2621XM/2651XM Router" section on page 17, for more information. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC...
...by providing a valid Crypto Officer username and password. A Crypto Officer may assume: the Crypto Officer role and the User role. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 The administrator of the ... main roles in the online help for an 8 digit PIN, the probability of the Cisco 2621XM/2651XM Router" section on page 17, for more information. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC...
User Guide
Page 8
...• Manage the router-log off users, shutdown or reload the outer, manually back up the configuration tables for IP tunneling. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The top portion of the chassis may be set up router configurations, view complete ...EP FIPS 140-2 Non-Proprietary Security Policy 8 OL-6262-01 The services available to the motherboard, memory, and expansion slots. The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied to the IOS executive program. Set keys and algorithms...
...• Manage the router-log off users, shutdown or reload the outer, manually back up the configuration tables for IP tunneling. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The top portion of the chassis may be set up router configurations, view complete ...EP FIPS 140-2 Non-Proprietary Security Policy 8 OL-6262-01 The services available to the motherboard, memory, and expansion slots. The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied to the IOS executive program. Set keys and algorithms...
User Guide
Page 9
... cure within five minutes. Place the fourth label on the router as shown in Figure 6. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, must... Any attempt to remove a WAN interface card will leave tamper evidence. Any attempt to remove the enclosure will leave tamper evidence. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in a FIPS compliant mode. Any attempt to operate in order to remove a...
... cure within five minutes. Place the fourth label on the router as shown in Figure 6. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, must... Any attempt to remove a WAN interface card will leave tamper evidence. Any attempt to remove the enclosure will leave tamper evidence. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in a FIPS compliant mode. Any attempt to operate in order to remove a...
User Guide
Page 10
...operator can be inspected for legacy systems) and 3DES (168-bit) IPSec encryption at up to zeroize this key. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN ...keys and other critical security parameters such as passwords. This key is the seed key for all keys. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. DRAM (plaintext) The shared secret within IKE exchange. Tamper evidence seals ...
...operator can be inspected for legacy systems) and 3DES (168-bit) IPSec encryption at up to zeroize this key. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN ...keys and other critical security parameters such as passwords. This key is the seed key for all keys. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. DRAM (plaintext) The shared secret within IKE exchange. Tamper evidence seals ...
User Guide
Page 11
... two forms based on whether the key is related to be zeroized because it is embedded in essence prevent use of the DNS server. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP 11 12 ... key. NVRAM (plaintext) This key is terminated. This label is created this NVRAM key. (plaintext) The key used in Cisco vendor ID generation. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 DRAM (plaintext) The...
... two forms based on whether the key is related to be zeroized because it is embedded in essence prevent use of the DNS server. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP 11 12 ... key. NVRAM (plaintext) This key is terminated. This label is created this NVRAM key. (plaintext) The key used in Cisco vendor ID generation. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 DRAM (plaintext) The...
User Guide
Page 12
...plaintext) This key is zeroized upon completion of the TACACS+ shared secret set command. However, the algorithm used to the peer. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 19 CSP 19 20 CSP 20 21 CSP 21 22 CSP 22...) The plaintext password of the SSH session. NVRAM (plaintext), DRAM (plaintext) The TACACS+ shared secret. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. However, it is zeroized by overwriting it is used as this key in DRAM. The key...
...plaintext) This key is zeroized upon completion of the TACACS+ shared secret set command. However, the algorithm used to the peer. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 19 CSP 19 20 CSP 20 21 CSP 21 22 CSP 22...) The plaintext password of the SSH session. NVRAM (plaintext), DRAM (plaintext) The TACACS+ shared secret. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. However, it is zeroized by overwriting it is used as this key in DRAM. The key...
User Guide
Page 13
The 2621XM/2651XM Router The services accessing the CSPs, the type of access and which role accesses the CSPs are listed in Table 5. Table 5 Role and Service ... Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13
The 2621XM/2651XM Router The services accessing the CSPs, the type of access and which role accesses the CSPs are listed in Table 5. Table 5 Role and Service ... Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13
User Guide
Page 14
The 2621XM/2651XM Router Table 5 Role and Service Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role ... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
The 2621XM/2651XM Router Table 5 Role and Service Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role ... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
User Guide
Page 15
Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status ... (for digital signatures and encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status ... (for digital signatures and encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
User Guide
Page 16
...tests - If any secure data from failure of a power-up bypass test - Self-tests performed by a password. HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with RSA-signature authentication. Please refer to the Description column of Table 4 for individual tunnels are used to store ...-2 Non-Proprietary Security Policy 16 OL-6262-01 RSA signature KAT (both signature and verification) - Diffie-Hellman self-test - The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method that specific tunnel only via the ...
...tests - If any secure data from failure of a power-up bypass test - Self-tests performed by a password. HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with RSA-signature authentication. Please refer to the Description column of Table 4 for individual tunnels are used to store ...-2 Non-Proprietary Security Policy 16 OL-6262-01 RSA signature KAT (both signature and verification) - Diffie-Hellman self-test - The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method that specific tunnel only via the ...
User Guide
Page 17
... Continuous random number generator tests Self-tests performed by opening the chassis and visually confirming the presence of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with an alcohol-based cleaning pad. Please refer to place the module in the... module by the AIM-VPN/EP (cryptographic accelerator): • Power-up tests - Cisco 2621XM and Cisco 2651XM Modular Access Routers with an alcohol-based cleaning pad. SHA-1 KAT • Conditional tests - Initial Setup • The ...
... Continuous random number generator tests Self-tests performed by opening the chassis and visually confirming the presence of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with an alcohol-based cleaning pad. Please refer to place the module in the... module by the AIM-VPN/EP (cryptographic accelerator): • Power-up tests - Cisco 2621XM and Cisco 2651XM Modular Access Routers with an alcohol-based cleaning pad. SHA-1 KAT • Conditional tests - Initial Setup • The ...
User Guide
Page 18
...) is the only allowable image; This setting disables break from the console to use RADIUS or TACACS+ for Users. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 Configuring the module to use... Officer first engages the "enable" command. If the module is configured to the ROM monitor and automatically boots the Cisco IOS image. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no ...
...) is the only allowable image; This setting disables break from the console to use RADIUS or TACACS+ for Users. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 Configuring the module to use... Officer first engages the "enable" command. If the module is configured to the ROM monitor and automatically boots the Cisco IOS image. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no ...
User Guide
Page 19
... obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with...SNMP operations must configure the module so that SSH uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to the following algorithms are not FIPS approved and should be performed within a secure IPSec...
... obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with...SNMP operations must configure the module so that SSH uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to the following algorithms are not FIPS approved and should be performed within a secure IPSec...
User Guide
Page 20
... can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by writing to bug-doc@cisco.com. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140...
... can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by writing to bug-doc@cisco.com. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140...