User Guide
Page 1
... Cryptographic Modules) details the U.S. This document contains the following sections: • Introduction, page 1 • The 2621XM/2651XM Router, page 2 • Secure Operation of the Cisco 2621XM/2651XM Router, page 17 • Related Documentation, page 19 • Obtaining Documentation, page 19 • Documentation ...Jose, CA 95134-1706 USA Copyright © 2001. Cisco Systems, Inc. More information about the FIPS 140-2 standard and validation program is the non-proprietary Cryptographic Module Security Policy for the 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP ...
... Cryptographic Modules) details the U.S. This document contains the following sections: • Introduction, page 1 • The 2621XM/2651XM Router, page 2 • Secure Operation of the Cisco 2621XM/2651XM Router, page 17 • Related Documentation, page 19 • Obtaining Documentation, page 19 • Documentation ...Jose, CA 95134-1706 USA Copyright © 2001. Cisco Systems, Inc. More information about the FIPS 140-2 standard and validation program is the non-proprietary Cryptographic Module Security Policy for the 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP ...
User Guide
Page 2
... functionality of a FIPS 140-2 cryptographic module security policy. The Cisco Cisco 2621XM and Cisco 2651XM Modular Access Routers with operations and capabilities of the Cisco 2621XM and Cisco 2651XM routers in the technical terms of the Cisco 2621XM and 2651XM routers. For access to these documents, please contact Cisco Systems The 2621XM/2651XM Router Branch office networking requirements are referred to...
... functionality of a FIPS 140-2 cryptographic module security policy. The Cisco Cisco 2621XM and Cisco 2651XM Modular Access Routers with operations and capabilities of the Cisco 2621XM and Cisco 2651XM routers in the technical terms of the Cisco 2621XM and 2651XM routers. For access to these documents, please contact Cisco Systems The 2621XM/2651XM Router Branch office networking requirements are referred to...
User Guide
Page 3
...virtual private networks or outsourced dial solutions. All of the device except any installed modular WICs or Network Modules. The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card. The cryptographic boundary is provided by components within the ...case that would be occupied by the Cisco 2621XM and 2651XM routers. Cisco 2600`s RISC-based processor provides the power needed for the dynamic requirements of Remote Access WANs via IPSec, Layer 2...
...virtual private networks or outsourced dial solutions. All of the device except any installed modular WICs or Network Modules. The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card. The cryptographic boundary is provided by components within the ...case that would be occupied by the Cisco 2621XM and 2651XM routers. Cisco 2600`s RISC-based processor provides the power needed for the dynamic requirements of Remote Access WANs via IPSec, Layer 2...
User Guide
Page 4
...the back panel for a console terminal for local system access and an auxiliary port for data transfers in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the cryptographic card; WICs interface directly with descriptions detailed in and out. Network modules ...supply and a power switch. The physical interfaces include a power plug for back-up WAN connectivity. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN...
...the back panel for a console terminal for local system access and an auxiliary port for data transfers in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the cryptographic card; WICs interface directly with descriptions detailed in and out. Network modules ...supply and a power switch. The physical interfaces include a power plug for back-up WAN connectivity. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN...
User Guide
Page 5
... redundant power is established Figure 4 shows the front panel LEDs, which provide overall status of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1 CONN SERIAL... Ethernet 0/1 (RJ-45) 10/100BASE-T Ethernet 0/0 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) 99495 Table 1 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions LED LINK FDX 100 Mbps Indication Green Off Green Off Green Off Description An Ethernet link has been established...
... redundant power is established Figure 4 shows the front panel LEDs, which provide overall status of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1 CONN SERIAL... Ethernet 0/1 (RJ-45) 10/100BASE-T Ethernet 0/0 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) 99495 Table 1 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions LED LINK FDX 100 Mbps Indication Green Off Green Off Green Off Description An Ethernet link has been established...
User Guide
Page 6
... level of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary ... Module Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01 RPS = Redundant...
... level of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary ... Module Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01 RPS = Redundant...
User Guide
Page 7
...enable interfaces and network services, set system date and time, and load authentication information. Crypto Officer Services During initial configuration of the Cisco 2621XM and 2651XM Routers can use the encryption and decryption functionality after authentication to the User role by providing a valid User username and...If only integers 0-9 are two main roles in 1,814,400. The administrator of the router. See the "Secure Operation of the Cisco 2621XM/2651XM Router" section on page 17, for the configuration and maintenance of the router assumes the Crypto Officer role in the FIPS ...
...enable interfaces and network services, set system date and time, and load authentication information. Crypto Officer Services During initial configuration of the Cisco 2621XM and 2651XM Routers can use the encryption and decryption functionality after authentication to the User role by providing a valid User username and...If only integers 0-9 are two main roles in 1,814,400. The administrator of the router. See the "Secure Operation of the Cisco 2621XM/2651XM Router" section on page 17, for the configuration and maintenance of the router assumes the Crypto Officer role in the FIPS ...
User Guide
Page 8
The IOS prompts the User for each interface. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The services available to the User role consist of the following: • Status Functions-view state of ...interfaces, state of layer 2 protocols, version of IOS currently running • Network Functions-connect to the IOS executive program. The 2621XM/2651XM Router • Define ...
The IOS prompts the User for each interface. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The services available to the User role consist of the following: • Status Functions-view state of ...interfaces, state of layer 2 protocols, version of IOS currently running • Network Functions-connect to the IOS executive program. The 2621XM/2651XM Router • Define ...
User Guide
Page 9
... attempt to remove the enclosure will leave tamper evidence. The labels completely cure within five minutes. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, must ...half covers the side of the tamper evidence label covers the enclosure and the other half covers the WAN interface card slot. Cisco 2621XM and Cisco 2651XM Modular Access Routers with each router, and additional covers may be placed so that one half of the router. The ...
... attempt to remove the enclosure will leave tamper evidence. The labels completely cure within five minutes. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, must ...half covers the side of the tamper evidence label covers the enclosure and the other half covers the WAN interface card slot. Cisco 2621XM and Cisco 2651XM Modular Access Routers with each router, and additional covers may be placed so that one half of the router. The ...
User Guide
Page 10
... Crypto Officer role login, and can also be inspected for signs of tampering, which provides DES (56-bit) (only for all keys. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. Zeroized after the generation of the module cover. Tamper evidence seals can be inspected for X9.31...
... Crypto Officer role login, and can also be inspected for signs of tampering, which provides DES (56-bit) (only for all keys. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. Zeroized after the generation of the module cover. Tamper evidence seals can be inspected for X9.31...
User Guide
Page 11
...of that key. This key is the same DRAM as above key. DRAM (plaintext) The IKE session authentication key. The zeroization is embedded in Cisco vendor ID generation. NVRAM (plaintext) This key generates keys 3, 4, 5 and 6. After above expiration happens and before a new public key structure...used in the module binary image and can have two forms based on whether the key is zeroized as above . NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 NVRAM (plaintext) The IPSec ...
...of that key. This key is the same DRAM as above key. DRAM (plaintext) The IKE session authentication key. The zeroization is embedded in Cisco vendor ID generation. NVRAM (plaintext) This key generates keys 3, 4, 5 and 6. After above expiration happens and before a new public key structure...used in the module binary image and can have two forms based on whether the key is zeroized as above . NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 NVRAM (plaintext) The IPSec ...
User Guide
Page 12
... However, the algorithm used as this key in DRAM. Therefore, this (plaintext) key because it onto the peer. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. A DRAM function uses this key) from the AAA server and sends it is terminated. The password retrieved...to the peer. This shared secret is zeroized NVRAM by the router to authenticate itself to #22 except that is a public key; The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 19 CSP 19 20 CSP 20 21 CSP 21 22 CSP 22 23 CSP...
... However, the algorithm used as this key in DRAM. Therefore, this (plaintext) key because it onto the peer. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. A DRAM function uses this key) from the AAA server and sends it is terminated. The password retrieved...to the peer. This shared secret is zeroized NVRAM by the router to authenticate itself to #22 except that is a public key; The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 19 CSP 19 20 CSP 20 21 CSP 21 22 CSP 22 23 CSP...
User Guide
Page 13
... Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13 The...
... Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13 The...
User Guide
Page 14
The 2621XM/2651XM Router Table 5 Role and Service Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role ... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
The 2621XM/2651XM Router Table 5 Role and Service Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role ... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
User Guide
Page 15
Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status ... (for digital signatures and encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status ... (for digital signatures and encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
User Guide
Page 16
...module can be authenticated to derive DES, 3DES or AES keys. - Firmware integrity test - AES KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with RSA-signature authentication. Self-Tests In order to zeroize each key and CSP. If any secure data from...router only allows plaintext traffic to the Description column of Table 4 for exchanging pre-shared keys manually and entering electronically. - The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method that created the keys, and the...
...module can be authenticated to derive DES, 3DES or AES keys. - Firmware integrity test - AES KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with RSA-signature authentication. Self-Tests In order to zeroize each key and CSP. If any secure data from...router only allows plaintext traffic to the Description column of Table 4 for exchanging pre-shared keys manually and entering electronically. - The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method that created the keys, and the...
User Guide
Page 17
... mode of any grease, dirt, or oil with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 17 Cisco 2621XM and Cisco 2651XM Modular Access Routers with an alcohol-based cleaning pad. DES KAT - The Crypto Officer must apply tamper evidence labels as ...and AIM-VPN/EP identification. Continuous random number generator tests Self-tests performed by opening the chassis and visually confirming the presence of the Cisco 2621XM/2651XM Router • Conditional tests - This document may add and remove Network Modules. Secure Operation of the AIM-VPN/EP. TDES ...
... mode of any grease, dirt, or oil with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 17 Cisco 2621XM and Cisco 2651XM Modular Access Routers with an alcohol-based cleaning pad. DES KAT - The Crypto Officer must apply tamper evidence labels as ...and AIM-VPN/EP identification. Continuous random number generator tests Self-tests performed by opening the chassis and visually confirming the presence of the Cisco 2621XM/2651XM Router • Conditional tests - This document may add and remove Network Modules. Secure Operation of the AIM-VPN/EP. TDES ...
User Guide
Page 18
... Crypto Officer enters the following syntax at the "#" prompt: enable secret • The Crypto Officer must always assign passwords (of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following algorithms are allowed in FIPS mode: Internet Key... keys that are at least 8 characters and is entered when the Crypto Officer first engages the "enable" command. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 no service password-recovery end...
... Crypto Officer enters the following syntax at the "#" prompt: enable secret • The Crypto Officer must always assign passwords (of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following algorithms are allowed in FIPS mode: Internet Key... keys that are at least 8 characters and is entered when the Crypto Officer first engages the "enable" command. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 no service password-recovery end...
User Guide
Page 19
...: - MD-5 HMAC Protocols All SNMP operations must configure the module so that SSH uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to use a FIPS-approved algorithm. These sections explain how to obtain technical assistance and other technical resources. Remote Access...
...: - MD-5 HMAC Protocols All SNMP operations must configure the module so that SSH uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to use a FIPS-approved algorithm. These sections explain how to obtain technical assistance and other technical resources. Remote Access...
User Guide
Page 20
... extensive online support resources. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 Documentation Feedback You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Ordering...CA 95134-9883 We appreciate your document or by calling 800 553-NETS (6387). If you do not hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. Documentation Feedback You can submit comments by using the response...
... extensive online support resources. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 Documentation Feedback You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Ordering...CA 95134-9883 We appreciate your document or by calling 800 553-NETS (6387). If you do not hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. Documentation Feedback You can submit comments by using the response...