User Guide
Page 1
...140-2-Security Requirements for cryptographic modules. All rights reserved. This document contains the following sections: • Introduction, page 1 • Cisco 2851 Routers, page 2 • Secure Operation of FIPS 140-2, and how to operate the router with on the NIST website at http...://csrc.nist.gov/cryptval/. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Cisco 2851 Integrated Services Router. Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 1.3 November 23, 2005 Introduction This document...
...140-2-Security Requirements for cryptographic modules. All rights reserved. This document contains the following sections: • Introduction, page 1 • Cisco 2851 Routers, page 2 • Secure Operation of FIPS 140-2, and how to operate the router with on the NIST website at http...://csrc.nist.gov/cryptval/. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Cisco 2851 Integrated Services Router. Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 1.3 November 23, 2005 Introduction This document...
User Guide
Page 2
... to as additional references This document provides an overview of operation. For access to these documents, please contact Cisco Systems. Cisco 2851 Routers Branch office networking requirements are dramatically evolving, driven by web and e-commerce applications to enhance productivity and merging... is releasable only under appropriate non-disclosure agreements. This section describes the general features and functionality provided by the "Cisco 2851 Routers" section on page 17 specifically addresses the required configuration for answers to the contacts listed on the full line...
... to as additional references This document provides an overview of operation. For access to these documents, please contact Cisco Systems. Cisco 2851 Routers Branch office networking requirements are dramatically evolving, driven by web and e-commerce applications to enhance productivity and merging... is releasable only under appropriate non-disclosure agreements. This section describes the general features and functionality provided by the "Cisco 2851 Routers" section on page 17 specifically addresses the required configuration for answers to the contacts listed on the full line...
User Guide
Page 3
... 1 Do Not Remove During Network Operation 0 12V -48V 11A 4A CONSOLE AUX 100-240 50/60 V~ Hz 4A 95903 The Cisco 2851 router is provided by components within this cryptographic boundary. The cryptographic boundary of 450MHz. The interface for cryptographic operations. The router has... in Figure 2 and Figure 3. Depending on the front and rear panels as shown in this document is a multiple-chip standalone cryptographic module. Cisco 2851 Front Panel Physical Interfaces 7 6 5 43 2 1 OPTIONAL RPS INPUT 12V 18A SYS AUX/ SYS 1 PWR PWR ACT CF COMPACT FLASH ...
... 1 Do Not Remove During Network Operation 0 12V -48V 11A 4A CONSOLE AUX 100-240 50/60 V~ Hz 4A 95903 The Cisco 2851 router is provided by components within this cryptographic boundary. The cryptographic boundary of 450MHz. The interface for cryptographic operations. The router has... in Figure 2 and Figure 3. Depending on the front and rear panels as shown in this document is a multiple-chip standalone cryptographic module. Cisco 2851 Front Panel Physical Interfaces 7 6 5 43 2 1 OPTIONAL RPS INPUT 12V 18A SYS AUX/ SYS 1 PWR PWR ACT CF COMPACT FLASH ...
User Guide
Page 4
... RJ45 ports, a Enhanced Network Module (ENM) slot, a Voice Network Module (VeNoM) slot, and a Compact Flash (CF) drive. The Cisco 2851 router supports one single-width network module, four single-width or two double-width HWICs, two internal advanced integration modules (AIMs)1, three internal packet ...LEDs, three PVDM LEDs, and two AIM LEDs. The back panel consists of IP phone power output. There is a separate security policy covering the Cisco 2851 router with this security policy. The front panel contains the following: • (1) Power inlet • (2) Power switch • (3) Console ...
... RJ45 ports, a Enhanced Network Module (ENM) slot, a Voice Network Module (VeNoM) slot, and a Compact Flash (CF) drive. The Cisco 2851 router supports one single-width network module, four single-width or two double-width HWICs, two internal advanced integration modules (AIMs)1, three internal packet ...LEDs, three PVDM LEDs, and two AIM LEDs. The back panel consists of IP phone power output. There is a separate security policy covering the Cisco 2851 router with this security policy. The front panel contains the following: • (1) Power inlet • (2) Power switch • (3) Console ...
User Guide
Page 5
...1 and Table 2 provide more detailed information conveyed by the LEDs on the front and rear panel of the router: Table 1 Cisco 2851 Front Panel Indicators Name State System Power Off Blinking Green Solid Green Solid Orange Auxiliary Power Off Solid Green Solid Orange Activity Off...System is actively transferring packets No ongoing accesses, eject permitted Device is busy, do not eject Table 2 Name PVDM2 PVDM1 PVDM0 AIM1 AIM0 Cisco 2851 Rear Panel Indicators State Off Solid Green Solid Orange Off Solid Green Solid Orange Off Solid Green Solid Orange Off Solid Green Solid Orange Off...
...1 and Table 2 provide more detailed information conveyed by the LEDs on the front and rear panel of the router: Table 1 Cisco 2851 Front Panel Indicators Name State System Power Off Blinking Green Solid Green Solid Orange Auxiliary Power Off Solid Green Solid Orange Activity Off...System is actively transferring packets No ongoing accesses, eject permitted Device is busy, do not eject Table 2 Name PVDM2 PVDM1 PVDM0 AIM1 AIM0 Cisco 2851 Rear Panel Indicators State Off Solid Green Solid Orange Off Solid Green Solid Orange Off Solid Green Solid Orange Off Solid Green Solid Orange Off...
User Guide
Page 6
...No link established Ethernet link is established The physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the Table 4: Table 4 Cisco 2851 FIPS 140-2 Logical Interfaces Router Physical Interface 10/100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot VeNoM Slot 10/100 Ethernet... Ports HWIC Ports Power Switch Console Port Auxiliary Port ENM Slot FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 6 OL-8717-01
...No link established Ethernet link is established The physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the Table 4: Table 4 Cisco 2851 FIPS 140-2 Logical Interfaces Router Physical Interface 10/100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot VeNoM Slot 10/100 Ethernet... Ports HWIC Ports Power Switch Console Port Auxiliary Port ENM Slot FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 6 OL-8717-01
User Guide
Page 7
...to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 7 The card itself must never be found in the Performing Basic System ... Functions-View state of interfaces and protocols, version of the router assumes the Crypto Officer role in order to a LAN port. Cisco 2851 Routers Table 4 Cisco 2851 FIPS 140-2 Logical Interfaces (Continued) 10/100 Ethernet LAN Port LEDs AIM LEDs PVDM LEDs Power LED Activity LEDs Auxiliary LED Compact...
...to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 7 The card itself must never be found in the Performing Basic System ... Functions-View state of interfaces and protocols, version of the router assumes the Crypto Officer role in order to a LAN port. Cisco 2851 Routers Table 4 Cisco 2851 FIPS 140-2 Logical Interfaces (Continued) 10/100 Ethernet LAN Port LEDs AIM LEDs PVDM LEDs Power LED Activity LEDs Auxiliary LED Compact...
User Guide
Page 8
Cisco 2851 Routers Crypto Officer Services During initial configuration of the following: • Configure the router-Define network interfaces and settings, create command aliases, set the protocols ... time, and load authentication information. • Define Rules and Filters-Create packet Filters that are applied to User data streams on characteristics such as follows: Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 8 OL-8717-01 The Crypto Officer services consist of the router, the Crypto Officer password (the...
Cisco 2851 Routers Crypto Officer Services During initial configuration of the following: • Configure the router-Define network interfaces and settings, create command aliases, set the protocols ... time, and load authentication information. • Define Rules and Filters-Create packet Filters that are applied to User data streams on characteristics such as follows: Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 8 OL-8717-01 The Crypto Officer services consist of the router, the Crypto Officer password (the...
User Guide
Page 9
...evidence seals provide physical protection for this purpose. The routers support the following FIPS 140-2 approved algorithm implementations: OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 9 The tamper evidence label should be placed so that the one half ... should be placed so that any attempt to the Cisco 2851: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Clean the cover of tampering. Figure 4 Cisco 2851 Tamper Evident Label Placement (Back View) Figure 5 Cisco 2851 Tamper Evident Label Placement (Front View) Cryptographic Key ...
...evidence seals provide physical protection for this purpose. The routers support the following FIPS 140-2 approved algorithm implementations: OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 9 The tamper evidence label should be placed so that the one half ... should be placed so that any attempt to the Cisco 2851: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Clean the cover of tampering. Figure 4 Cisco 2851 Tamper Evident Label Placement (Back View) Figure 5 Cisco 2851 Tamper Evident Label Placement (Front View) Cryptographic Key ...
User Guide
Page 10
...DES/3DES/AES key and HMAC-SHA-1 key are used (except DH which is allowed in the DRAM; See the Cisco IOS Reference Guide. AES - DES (for key establishment. The pre-shared key is only available in the approved mode ..., the CO password is protected by sending the "no set session-key outbound ah spi hex-key-data Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 10 OL-8717-01 All Diffie-Hellman (DH) keys...also used with support for key establishment despite being non-approved). Cisco 2851 Routers • Software (IOS) implementations -
...DES/3DES/AES key and HMAC-SHA-1 key are used (except DH which is allowed in the DRAM; See the Cisco IOS Reference Guide. AES - DES (for key establishment. The pre-shared key is only available in the approved mode ..., the CO password is protected by sending the "no set session-key outbound ah spi hex-key-data Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 10 OL-8717-01 All Diffie-Hellman (DH) keys...also used with support for key establishment despite being non-approved). Cisco 2851 Routers • Software (IOS) implementations -
User Guide
Page 11
...the DH shared secret has been generated. Automatically after IKE session terminated. Automatically after IKE session terminated. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 11 Note that keys stored in NVRAM are in Diffie-Hellman (... of IKE. Automatically after IKE session terminated. Automatically after shared secret generated. after IKE session terminated. Automatically after this CSP. Cisco 2851 Routers • no set session-key inbound esp spi cipher hex-key-data [authenticator hex-key-data] • no crypto...
...the DH shared secret has been generated. Automatically after IKE session terminated. Automatically after IKE session terminated. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 11 Note that keys stored in NVRAM are in Diffie-Hellman (... of IKE. Automatically after IKE session terminated. Automatically after shared secret generated. after IKE session terminated. Automatically after this CSP. Cisco 2851 Routers • no set session-key inbound esp spi cipher hex-key-data [authenticator hex-key-data] • no crypto...
User Guide
Page 12
... those keys. (plaintext) secret_1_0_0 The fixed key used in Cisco vendor ID generation. One can be deleted by overwriting it . "# no crypto isakmp key" command zeroizes it with new password Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 12 OL...-8717-01 Cisco 2851 Routers Table 5 Cryptographic Keys and CSPs (Continued) ISAKMP preshared Secret The key used in ...
... those keys. (plaintext) secret_1_0_0 The fixed key used in Cisco vendor ID generation. One can be deleted by overwriting it . "# no crypto isakmp key" command zeroizes it with new password Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 12 OL...-8717-01 Cisco 2851 Routers Table 5 Cryptographic Keys and CSPs (Continued) ISAKMP preshared Secret The key used in ...
User Guide
Page 13
Cisco 2851 Routers Table 5 Cryptographic Keys and CSPs (Continued) Enable secret Shared Secret RADIUS secret Shared Secret TACACS+ secret Shared Secret The ciphertext password of the CO ... Change WAN Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item PRNG Seed r DH private exponent r DH public key r dr w d r w d r w d OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 13 This password is not accessible by executing the "no tacacs-server key" Note All RSA...
Cisco 2851 Routers Table 5 Cryptographic Keys and CSPs (Continued) Enable secret Shared Secret RADIUS secret Shared Secret TACACS+ secret Shared Secret The ciphertext password of the CO ... Change WAN Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item PRNG Seed r DH private exponent r DH public key r dr w d r w d r w d OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 13 This password is not accessible by executing the "no tacacs-server key" Note All RSA...
User Guide
Page 14
Cisco 2851 Routers Table 6 Role and Service Access to CSP (Continued) Note: An empty entry indicates that a particular SRDI is not accessible by the corresponding service Role/... Policy skeyid skeyid_d skeyid_a skeyid_e IKE session encrypt key IKE session authentication key ISAKMP preshared IKE hash key secret_1_0_0 IPSec encryption key IPSec encryption key r r r r r r r r r r w d r r Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 14 r w d r w d r w d r w d r w d r w r w d r w d r w d r w d OL-8717-01
Cisco 2851 Routers Table 6 Role and Service Access to CSP (Continued) Note: An empty entry indicates that a particular SRDI is not accessible by the corresponding service Role/... Policy skeyid skeyid_d skeyid_a skeyid_e IKE session encrypt key IKE session authentication key ISAKMP preshared IKE hash key secret_1_0_0 IPSec encryption key IPSec encryption key r r r r r r r r r r w d r r Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 14 r w d r w d r w d r w d r w d r w r w d r w d r w d r w d OL-8717-01
User Guide
Page 15
Cisco 2851 Routers Table 6 Role and Service Access to CSP (Continued) Note: An empty entry indicates that a particular SRDI is not accessible by the corresponding service Role/... authentication key PPP Authentication key Router authentication key 2 SSH session key User password Enable password Enable secret RADIUS secret TACACS+ secret r r w w d d r r w d r dr w r r w d r r w d r r w d r w d r w d r w d r w d OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 15
Cisco 2851 Routers Table 6 Role and Service Access to CSP (Continued) Note: An empty entry indicates that a particular SRDI is not accessible by the corresponding service Role/... authentication key PPP Authentication key Router authentication key 2 SSH session key User password Enable password Enable secret RADIUS secret TACACS+ secret r r w w d d r r w d r dr w r r w d r r w d r r w d r w d r w d r w d r w d OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 15
User Guide
Page 16
...approved cryptographic algorithms and on each of self-tests run at startup are functioning correctly. SHA-1 Known Answer Test - DES Known Answer Test Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 16 OL-8717-01 The router includes an array of the self-tests fail, ...AES Known Answer Test - If any secure data from being released, it is halted and the router outputs status information indicating the failure. Cisco 2851 Routers Self-Tests In order to prevent any of self-tests that cause the system to transition to an error state: • IOS image...
...approved cryptographic algorithms and on each of self-tests run at startup are functioning correctly. SHA-1 Known Answer Test - DES Known Answer Test Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 16 OL-8717-01 The router includes an array of the self-tests fail, ...AES Known Answer Test - If any secure data from being released, it is halted and the router outputs status information indicating the failure. Cisco 2851 Routers Self-Tests In order to prevent any of self-tests that cause the system to transition to an error state: • IOS image...
User Guide
Page 17
..."#" prompt: enable secret [PASSWORD] • The Crypto Officer must apply tamper evidence labels as described in FIPS-approved mode. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 17 IOS version 12.3(11)T03, Advanced Security build (advsecurity) is disabled, administrative access to...; The value of this router without the password will remove the module from the console to users. Secure Operation of the Cisco 2851 Router The Cisco 2851 routers meet all the Level 2 requirements for FIPS 140-2. HMAC-SHA-1 Known Answer Test -
..."#" prompt: enable secret [PASSWORD] • The Crypto Officer must apply tamper evidence labels as described in FIPS-approved mode. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 17 IOS version 12.3(11)T03, Advanced Security build (advsecurity) is disabled, administrative access to...; The value of this router without the password will remove the module from the console to users. Secure Operation of the Cisco 2851 Router The Cisco 2851 routers meet all the Level 2 requirements for FIPS 140-2. HMAC-SHA-1 Known Answer Test -
User Guide
Page 18
...only allowed via telnet are allowed in a FIPS 140-2 configuration: - Related Documentation For more information about the Cisco 1841 and Cisco 2801 Integrated Services Router, refer to the following algorithms are secured through IPSec, using FIPS-approved algorithms. Note ... only the following documents: • Cisco 2800 Series Integrated Services Routers Quick Start Guides • Cisco 2800 Series Hardware Installation documents • Cisco 2800 Series Software Configuration documents • Cisco 2800 Series Cards and Modules Cisco 2851 Integrated Services Router FIPS 140-2 Non ...
...only allowed via telnet are allowed in a FIPS 140-2 configuration: - Related Documentation For more information about the Cisco 1841 and Cisco 2801 Integrated Services Router, refer to the following algorithms are secured through IPSec, using FIPS-approved algorithms. Note ... only the following documents: • Cisco 2800 Series Integrated Services Routers Quick Start Guides • Cisco 2800 Series Hardware Installation documents • Cisco 2800 Series Software Configuration documents • Cisco 2800 Series Cards and Modules Cisco 2851 Integrated Services Router FIPS 140-2 Non ...
User Guide
Page 19
The Product Documentation DVD is a comprehensive library of the documentation available. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 19 Cisco also provides several ways to 1700) PDT by calling 1 866 463-3487 in the ...technical product documentation on portable media. You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Product Documentation DVD Cisco documentation and additional literature are available on the Cisco website without being connected to the Internet. to 5:00...
The Product Documentation DVD is a comprehensive library of the documentation available. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 19 Cisco also provides several ways to 1700) PDT by calling 1 866 463-3487 in the ...technical product documentation on portable media. You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Product Documentation DVD Cisco documentation and additional literature are available on the Cisco website without being connected to the Internet. to 5:00...
User Guide
Page 20
... considered nonemergencies. • Nonemergencies - We test our products internally before we release them, and we strive to delivering secure products. psirt@cisco.com In an emergency, you can perform these tasks: • Report security vulnerabilities in which a severe and urgent security vulnerability should be...San Jose, CA 95134-9883 We appreciate your document or by telephone: • 1 877 228-7302 • 1 408 525-6532 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 20 OL-8717-01 All other conditions are updated in real time, you can ...
... considered nonemergencies. • Nonemergencies - We test our products internally before we release them, and we strive to delivering secure products. psirt@cisco.com In an emergency, you can perform these tasks: • Report security vulnerabilities in which a severe and urgent security vulnerability should be...San Jose, CA 95134-9883 We appreciate your document or by telephone: • 1 877 228-7302 • 1 408 525-6532 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 20 OL-8717-01 All other conditions are updated in real time, you can ...