User Guide
Page 1
Government requirements for Cryptographic Modules) details the U.S. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Cisco 2621XM/2651XM Router, page 17 • Related Documentation, page 19 • Obtaining Documentation, page 19 • Documentation Feedback, page 20 • Obtaining Technical Assistance, page 20 • Obtaining ...
Government requirements for Cryptographic Modules) details the U.S. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Cisco 2621XM/2651XM Router, page 17 • Related Documentation, page 19 • Obtaining Documentation, page 19 • Documentation Feedback, page 20 • Obtaining Technical Assistance, page 20 • Obtaining ...
User Guide
Page 2
...) and WAN Interface Cards (WICs), the modular architecture of operation. The Cisco Cisco 2621XM and Cisco 2651XM Modular Access Routers with operations and capabilities of the Cisco 2621XM and Cisco 2651XM routers in the technical terms of the Cisco 2621XM and 2651XM routers. This introduction section is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the following sources: • The...
...) and WAN Interface Cards (WICs), the modular architecture of operation. The Cisco Cisco 2621XM and Cisco 2651XM Modular Access Routers with operations and capabilities of the Cisco 2621XM and Cisco 2651XM routers in the technical terms of the Cisco 2621XM and 2651XM routers. This introduction section is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the following sources: • The...
User Guide
Page 3
... of the "backplane" of the three-dimensional space within this document is provided by components within the case that would be occupied by the Cisco 2621XM and 2651XM routers. The cryptographic boundary includes the connection apparatus between the WIC or Network Module and the motherboard/daughterboard that meets FIPS 140-2 Level 2 requirements. and...
... of the "backplane" of the three-dimensional space within this document is provided by components within the case that would be occupied by the Cisco 2621XM and 2651XM routers. The cryptographic boundary includes the connection apparatus between the WIC or Network Module and the motherboard/daughterboard that meets FIPS 140-2 Level 2 requirements. and...
User Guide
Page 4
...rear panel with descriptions detailed in that the fixed LAN ports do not perform any cryptographic functions. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 ...Ethernet; WAN interface cards support a variety of two slots, which are similar to Network Modules in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the PCI bridge in and out. therefore, no security parameters will pass through the LAN ports). WICs interface...
...rear panel with descriptions detailed in that the fixed LAN ports do not perform any cryptographic functions. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 ...Ethernet; WAN interface cards support a variety of two slots, which are similar to Network Modules in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the PCI bridge in and out. therefore, no security parameters will pass through the LAN ports). WICs interface...
User Guide
Page 5
... booted, if the redundant power is established Figure 4 shows the front panel LEDs, which provide overall status of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1 CONN SERIAL 0 SEE... 4 Front Panel LEDs 99496 POWER RPS ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router: Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 5
... booted, if the redundant power is established Figure 4 shows the front panel LEDs, which provide overall status of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1 CONN SERIAL 0 SEE... 4 Front Panel LEDs 99496 POWER RPS ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router: Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 5
User Guide
Page 6
... Power System All of activity 1. The 2621XM/2651XM Router Table 2 Cisco 2621XM and Cisco 2651XM Front Panel LEDs and Descriptions LED Indication Description Power Green Power is supplied to the router and the router is operational RPS1 Off Green The router is not powered on RPS is attached ... interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE...
... Power System All of activity 1. The 2621XM/2651XM Router Table 2 Cisco 2621XM and Cisco 2651XM Front Panel LEDs and Descriptions LED Indication Description Power Green Power is supplied to the router and the router is operational RPS1 Off Green The router is not powered on RPS is attached ... interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE...
User Guide
Page 7
... the FIPS mode. If only integers 0-9 are two main roles in order to the Crypto Officer role. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 The administrator of randomly guessing..., thereby creating additional Crypto Officers. The configuration of the router, the Crypto Officer password (the "enable" password) is defined. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network ...
... the FIPS mode. If only integers 0-9 are two main roles in order to the Crypto Officer role. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 The administrator of randomly guessing..., thereby creating additional Crypto Officers. The configuration of the router, the Crypto Officer password (the "enable" password) is defined. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network ...
User Guide
Page 8
...Filter consists of a set of Rules, which define a set of files kept in flash memory Physical Security The router is allowed entry to the IOS executive program. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The top portion of the unit provides 1 Network Module slot, 2 WIC slots, on... tunneling. The IOS prompts the User for each interface. Set keys and algorithms to be used for their password. The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied to other network devices through outgoing telnet, PPP, etc.
...Filter consists of a set of Rules, which define a set of files kept in flash memory Physical Security The router is allowed entry to the IOS executive program. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. The top portion of the unit provides 1 Network Module slot, 2 WIC slots, on... tunneling. The IOS prompts the User for each interface. Set keys and algorithms to be used for their password. The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied to other network devices through outgoing telnet, PPP, etc.
User Guide
Page 9
... tamper evidence label should be ordered from Cisco. Any attempt to remove the enclosure will leave tamper evidence. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in order to operate in Figure 6. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot...
... tamper evidence label should be ordered from Cisco. Any attempt to remove the enclosure will leave tamper evidence. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in order to operate in Figure 6. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot...
User Guide
Page 10
... parameters such as passwords. hence, it is stored in Diffie-Hellman (DH) exchange. DRAM (plaintext) The shared secret within IKE exchange. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. The module supports the following : curled corners, bubbling, crinkling, rips, tears, and slices. Tamper evidence seals can also be...
... parameters such as passwords. hence, it is stored in Diffie-Hellman (DH) exchange. DRAM (plaintext) The shared secret within IKE exchange. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. The module supports the following : curled corners, bubbling, crinkling, rips, tears, and slices. Tamper evidence seals can also be...
User Guide
Page 11
...DRAM (plaintext) The IPSec authentication key. The zeroization is a public key. NVRAM (plaintext) The IPSec encryption key. NVRAM (plaintext) This key is terminated. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP... the key and it is the same as above DRAM (plaintext) The IKE session encrypt key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 DRAM (plaintext) The IKE session ...
...DRAM (plaintext) The IPSec authentication key. The zeroization is a public key. NVRAM (plaintext) The IPSec encryption key. NVRAM (plaintext) This key is terminated. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP... the key and it is the same as above DRAM (plaintext) The IKE session encrypt key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 DRAM (plaintext) The IKE session ...
User Guide
Page 12
...CO role. Issuing the "no key config-key" is issued. (plaintext) This key is used by the router to authenticate itself ). NVRAM (plaintext) This is used as mentioned here. This shared secret is used as an...Proprietary Security Policy 12 OL-6262-01 NVRAM (plaintext), DRAM (plaintext) The TACACS+ shared secret. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 19 CSP 19 20 CSP 20 21 CSP 21...a DES algorithm for FIPS purposes. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password.
...CO role. Issuing the "no key config-key" is issued. (plaintext) This key is used by the router to authenticate itself ). NVRAM (plaintext) This is used as mentioned here. This shared secret is used as an...Proprietary Security Policy 12 OL-6262-01 NVRAM (plaintext), DRAM (plaintext) The TACACS+ shared secret. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 19 CSP 19 20 CSP 20 21 CSP 21...a DES algorithm for FIPS purposes. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password.
User Guide
Page 13
... Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security...
... Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security...
User Guide
Page 14
... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
User Guide
Page 15
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions...
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions...
User Guide
Page 16
... of a security module to derive DES, 3DES or AES keys. - DES KAT - PRNG KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with Diffie-Hellman key agreement technique to insure all the pre-shared keys. Self-Tests In order to prevent any of the ...to pass through and no encrypted traffic is symmetric. Note After the router recovers from being released, it is halted and the router outputs status information indicating the failure. Diffie-Hellman self-test - The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual...
... of a security module to derive DES, 3DES or AES keys. - DES KAT - PRNG KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with Diffie-Hellman key agreement technique to insure all the pre-shared keys. Self-Tests In order to prevent any of the ...to pass through and no encrypted traffic is symmetric. Note After the router recovers from being released, it is halted and the router outputs status information indicating the failure. Diffie-Hellman self-test - The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual...
User Guide
Page 17
...section of the AIM-VPN/EP. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on the router as described in Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers for FIPS 140-2. Continuous random number...module in the "Physical Security" section of this router without maintaining the following settings will remove the module from the router and clean the cover of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary ...
...section of the AIM-VPN/EP. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on the router as described in Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers for FIPS 140-2. Continuous random number...module in the "Physical Security" section of this router without maintaining the following settings will remove the module from the router and clean the cover of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary ...
User Guide
Page 18
...The password must be 0x0102. ah-sha-hmac - esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing... users to a privilege level 1 (the default). • The Crypto Officer shall not assign a command to any IOS image onto the router, this will not be possible. System Initialization and Configuration • The Crypto Officer must be at least 8 characters and is the only ...
...The password must be 0x0102. ah-sha-hmac - esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing... users to a privilege level 1 (the default). • The Crypto Officer shall not assign a command to any IOS image onto the router, this will not be possible. System Initialization and Configuration • The Crypto Officer must be at least 8 characters and is the only ...
User Guide
Page 19
... module. The Crypto officer must configure the module so that SSH uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to obtain technical assistance and other technical resources. Remote Access • Telnet access to the module is configured to obtain technical information...
... module. The Crypto officer must configure the module so that SSH uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to obtain technical assistance and other technical resources. Remote Access • Telnet access to the module is configured to obtain technical information...
User Guide
Page 20
... features extensive online support resources. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 If you do not hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. Documentation Feedback You can send comments about technical documentation...
... features extensive online support resources. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 If you do not hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. Documentation Feedback You can send comments about technical documentation...