User Guide
Page 1
... Level 2 Validation Version 1.3 June 2, 2004 Introduction This is available on the NIST website at http://csrc.nist.gov/cryptval/. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP. All rights reserved. Cisco Systems, Inc. AIM-VPN/EP: Hardware Version 1.0, Board Version B0; Government requirements for cryptographic modules. Firmware Version: IOS 12...
... Level 2 Validation Version 1.3 June 2, 2004 Introduction This is available on the NIST website at http://csrc.nist.gov/cryptval/. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP. All rights reserved. Cisco Systems, Inc. AIM-VPN/EP: Hardware Version 1.0, Board Version B0; Government requirements for cryptographic modules. Firmware Version: IOS 12...
User Guide
Page 2
...-2 cryptographic module security policy. This introduction section is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the following sources: • The Cisco Systems website contains information on the Cisco Systems website at www.cisco.com. "Secure Operation of the Cisco 2621XM/2651XM Router" specifically addresses the required configuration for the module Terminology...
...-2 cryptographic module security policy. This introduction section is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the following sources: • The Cisco Systems website contains information on the Cisco Systems website at www.cisco.com. "Secure Operation of the Cisco 2621XM/2651XM Router" specifically addresses the required configuration for the module Terminology...
User Guide
Page 3
... defined as tunneling, data encryption, and termination of the functionality discussed in Figure 2. Cisco 2600`s RISC-based processor provides the power needed for the 2651XM. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to 30 thousand packets per second (Kpps) throughput...provided by components within the case that would be occupied by the Cisco 2621XM and 2651XM routers. The 2621XM/2651XM Cryptographic Module Figure 1 The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600SERIES 99493 The 2621XM and 2651XM Routers are not designed to Ethernet routing with AIM-...
... defined as tunneling, data encryption, and termination of the functionality discussed in Figure 2. Cisco 2600`s RISC-based processor provides the power needed for the 2651XM. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to 30 thousand packets per second (Kpps) throughput...provided by components within the case that would be occupied by the Cisco 2621XM and 2651XM routers. The 2621XM/2651XM Cryptographic Module Figure 1 The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600SERIES 99493 The 2621XM and 2651XM Routers are not designed to Ethernet routing with AIM-...
User Guide
Page 4
... back panel for a console terminal for local system access and an auxiliary port for data transfers in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the cryptographic card; mixed Token-Ring and Ethernet; LAN support includes single and dual Ethernet... will pass through the Network Module (just as a data input and data output physical interface. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN...
... back panel for a console terminal for local system access and an auxiliary port for data transfers in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the cryptographic card; mixed Token-Ring and Ethernet; LAN support includes single and dual Ethernet... will pass through the Network Module (just as a data input and data output physical interface. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN...
User Guide
Page 5
...RPS ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1 CONN SERIAL...-T Ethernet 0/1 (RJ-45) 10/100BASE-T Ethernet 0/0 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) 99495 Table 1 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions LED LINK FDX 100 Mbps Indication Green Off Green Off Green Off Description An Ethernet link has been established...
...RPS ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1 CONN SERIAL...-T Ethernet 0/1 (RJ-45) 10/100BASE-T Ethernet 0/0 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) 99495 Table 1 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions LED LINK FDX 100 Mbps Indication Green Off Green Off Green Off Description An Ethernet link has been established...
User Guide
Page 6
... level of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary ... Module Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01 RPS = Redundant...
... level of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary ... Module Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01 RPS = Redundant...
User Guide
Page 7
...the User role. Crypto Officer Services During initial configuration of the router assumes the Crypto Officer role in the FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 The configuration of ... to access the Crypto Officer role to the User role by providing a valid Crypto Officer username and password. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface ...
...the User role. Crypto Officer Services During initial configuration of the router assumes the Crypto Officer role in the FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 The configuration of ... to access the Crypto Officer role to the User role by providing a valid Crypto Officer username and password. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface ...
User Guide
Page 8
... of files kept in the "Initial Setup" section of the chassis may be set up the configuration tables for their password. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied to User data streams on -board LAN...
... of files kept in the "Initial Setup" section of the chassis may be set up the configuration tables for their password. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied to User data streams on -board LAN...
User Guide
Page 9
... interface card will leave tamper evidence. The temperature of the router. Any attempt to remove the enclosure will leave tamper evidence. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in order to operate in Figure 6. The tamper evidence label should be placed...of the label covers the enclosure and the other half covers the WAN interface card slot. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, ...
... interface card will leave tamper evidence. The temperature of the router. Any attempt to remove the enclosure will leave tamper evidence. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in order to operate in Figure 6. The tamper evidence label should be placed...of the label covers the enclosure and the other half covers the WAN interface card slot. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, ...
User Guide
Page 10
...from a special thin gauge vinyl with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 10 OL-6262-01 The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 ... (DH) exchange. Zeroized when IKE session is the seed key for signs of the module cover. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. Cryptographic Key Management The router securely administers both cryptographic keys and other critical...
...from a special thin gauge vinyl with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 10 OL-6262-01 The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 ... (DH) exchange. Zeroized when IKE session is the seed key for signs of the module cover. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. Cryptographic Key Management The router securely administers both cryptographic keys and other critical...
User Guide
Page 11
...This key does not need to be zeroized because it is related to generate IKE skeyid during preshared-key authentication. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 These keys are expired either ... expiration happens and before a new public key structure is created this key is a public key. This key can be zeroized because it is deleted. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP 11 12 ...
...This key does not need to be zeroized because it is related to generate IKE skeyid during preshared-key authentication. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 These keys are expired either ... expiration happens and before a new public key structure is created this key is a public key. This key can be zeroized because it is deleted. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP 11 12 ...
User Guide
Page 12
...values of the User role. However, the algorithm used by the router to authenticate itself to the peer. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. (plaintext) The ciphertext password of the TACACS+ shared secret set command. Zeroized after the ...The RSA public key used in a DES algorithm for FIPS purposes. This key is terminated. NVRAM (plaintext) The RADIUS shared secret. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 19 CSP 19 20 CSP 20 21 CSP 21 22 CSP 22 23 ...
...values of the User role. However, the algorithm used by the router to authenticate itself to the peer. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. (plaintext) The ciphertext password of the TACACS+ shared secret set command. Zeroized after the ...The RSA public key used in a DES algorithm for FIPS purposes. This key is terminated. NVRAM (plaintext) The RADIUS shared secret. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 19 CSP 19 20 CSP 20 21 CSP 21 22 CSP 22 23 ...
User Guide
Page 13
... Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13 The...
... Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13 The...
User Guide
Page 14
The 2621XM/2651XM Router Table 5 Role and Service Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role ... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
The 2621XM/2651XM Router Table 5 Role and Service Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role ... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
User Guide
Page 15
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and...
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and...
User Guide
Page 16
...3DES or AES keys. - Firmware integrity test - RSA signature KAT (both signature and verification) - DES KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with support for information on methods to derive HMAC-SHA-1 key. • Internet Key Exchange with that are ...functioning correctly. The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method...
...3DES or AES keys. - Firmware integrity test - RSA signature KAT (both signature and verification) - DES KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with support for information on methods to derive HMAC-SHA-1 key. • Internet Key Exchange with that are ...functioning correctly. The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method...
User Guide
Page 17
...entire label from the router and clean the cover of any grease, dirt, or oil with an alcohol-based cleaning pad. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on chassis disassembly and reassembly...the "Physical Security" section of this router without maintaining the following settings will remove the module from the FIPS approved mode of the Cisco 2621XM/2651XM Router • Conditional tests - SHA-1 KAT • Conditional tests - Continuous random number generator test Secure Operation of this ...
...entire label from the router and clean the cover of any grease, dirt, or oil with an alcohol-based cleaning pad. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on chassis disassembly and reassembly...the "Physical Security" section of this router without maintaining the following settings will remove the module from the FIPS approved mode of the Cisco 2621XM/2651XM Router • Conditional tests - SHA-1 KAT • Conditional tests - Continuous random number generator test Secure Operation of this ...
User Guide
Page 18
..."configure terminal" command line, the Crypto Officer enters the following syntax: config-register 0x0102 • The Crypto Officer must be 0x0102. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01... Cisco IOS version 12.3(3d) is required for the Crypto Officer role. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands...
..."configure terminal" command line, the Crypto Officer enters the following syntax: config-register 0x0102 • The Crypto Officer must be 0x0102. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01... Cisco IOS version 12.3(3d) is required for the Crypto Officer role. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands...
User Guide
Page 19
...The Crypto officer must configure the module so that SSH uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to the following algorithms are secured through IPSec. • SSH access to use a FIPS-... obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with...
...The Crypto officer must configure the module so that SSH uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to the following algorithms are secured through IPSec. • SSH access to use a FIPS-... obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with...
User Guide
Page 20
...-a-day, award-winning technical assistance. Documentation Feedback You can access international Cisco websites at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in North America, by writing to bug-doc@cisco.com. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non...
...-a-day, award-winning technical assistance. Documentation Feedback You can access international Cisco websites at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in North America, by writing to bug-doc@cisco.com. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non...