User Guide
Page 1
... document contains the following sections: • Introduction, page 1 • The 2621XM/2651XM Router, page 2 • Secure Operation of FIPS 140-2, and how to operate the 2621XM and 2651XM routers in a secure FIPS 140-2 mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version...
... document contains the following sections: • Introduction, page 1 • The 2621XM/2651XM Router, page 2 • Secure Operation of FIPS 140-2, and how to operate the 2621XM and 2651XM routers in a secure FIPS 140-2 mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version...
User Guide
Page 2
... is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the following sources: • The Cisco Systems website contains information on the Cisco Systems website at www.cisco.com. With the exception of the Cisco router easily allows interfaces to be found at: http://www.cisco.com/en/US/products/hw/routers/ps221/index.html •...
... is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the following sources: • The Cisco Systems website contains information on the Cisco Systems website at www.cisco.com. With the exception of the Cisco router easily allows interfaces to be found at: http://www.cisco.com/en/US/products/hw/routers/ps221/index.html •...
User Guide
Page 3
... routing with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 3 This section describes the general features and functionality provided by the Cisco 2621XM and 2651XM routers. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to accommodate a WIC or Network Module; The 2621XM/2651XM Cryptographic Module Figure 1 The 2621XM/2651XM...
... routing with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 3 This section describes the general features and functionality provided by the Cisco 2621XM and 2651XM routers. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to accommodate a WIC or Network Module; The 2621XM/2651XM Cryptographic Module Figure 1 The 2621XM/2651XM...
User Guide
Page 4
... Available Network Modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing, ideal for the power supply and a power switch.... RJ-45) connectors for data transfers in the same way that they greatly increase the router's flexibility. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL...
... Available Network Modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing, ideal for the power supply and a power switch.... RJ-45) connectors for data transfers in the same way that they greatly increase the router's flexibility. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL...
User Guide
Page 5
...panel LEDs, which provide overall status of the router's operation. Figure 4 Front Panel LEDs 99496 POWER RPS ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router: Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-...Proprietary Security Policy OL-6262-01 5 The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 ...
...panel LEDs, which provide overall status of the router's operation. Figure 4 Front Panel LEDs 99496 POWER RPS ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router: Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-...Proprietary Security Policy OL-6262-01 5 The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 ...
User Guide
Page 6
...physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE... Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01 RPS = Redundant Power System ...
...physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE... Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01 RPS = Redundant Power System ...
User Guide
Page 7
... guessing the correct sequence is defined. See the "Secure Operation of the Cisco 2621XM/2651XM Router" section on page 17, for the configuration and maintenance of the Cisco 2621XM and 2651XM Routers can also use this functionality after authentication to the User role by providing ...TACACS+ for an 8 digit PIN, the probability of guessing the correct sequence. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface LAN Port LEDs 10/100BASE-TX...
... guessing the correct sequence is defined. See the "Secure Operation of the Cisco 2621XM/2651XM Router" section on page 17, for the configuration and maintenance of the Cisco 2621XM and 2651XM Routers can also use this functionality after authentication to the User role by providing ...TACACS+ for an 8 digit PIN, the probability of guessing the correct sequence. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface LAN Port LEDs 10/100BASE-TX...
User Guide
Page 8
... Interface Cards-insert and remove WICs in the WAN interface slot as described in flash memory Physical Security The router is allowed entry to the IOS executive program. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. Each Filter consists of a set of Rules, which define a set of packets to permit or...
... Interface Cards-insert and remove WICs in the WAN interface slot as described in flash memory Physical Security The router is allowed entry to the IOS executive program. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. Each Filter consists of a set of Rules, which define a set of packets to permit or...
User Guide
Page 9
... before applying the tamper evidence labels. The tamper evidence label should be placed so that the one half of the router. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in order to operate in Figure 6. Place the fourth label on the... router as shown in Figure 6. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM...
... before applying the tamper evidence labels. The tamper evidence label should be placed so that the one half of the router. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in order to operate in Figure 6. Place the fourth label on the... router as shown in Figure 6. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM...
User Guide
Page 10
... has been generated. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL 0 WIC CONN 2T SEE MANUAL BEFORE INSTALLATION W0 Cisco 2611 LINK ETHERNET 1 ACT LINK ETHERNET 0... ACT CONSOLE AUX 100-240V- 1A 50/60 Hz 47 W POWER RPS ACTIVITY Cisco 2600SERIES 99498 The tamper evidence seals are produced from a special thin gauge ...
... has been generated. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL 0 WIC CONN 2T SEE MANUAL BEFORE INSTALLATION W0 Cisco 2611 LINK ETHERNET 1 ACT LINK ETHERNET 0... ACT CONSOLE AUX 100-240V- 1A 50/60 Hz 47 W POWER RPS ACTIVITY Cisco 2600SERIES 99498 The tamper evidence seals are produced from a special thin gauge ...
User Guide
Page 11
...crypto ca trust " command invalidate the DNS server's public key and it is the same as above key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 This key is the same DRAM as mentioned here...essence prevent use of the key. This key does not need to generate IKE skeyid during preshared-key authentication. The zeroization is embedded in Cisco vendor ID generation. "no crypto ca trust " command invalidates the key and it is terminated. This key can be zeroized because it ...
...crypto ca trust " command invalidate the DNS server's public key and it is the same as above key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 This key is the same DRAM as mentioned here...essence prevent use of the key. This key does not need to generate IKE skeyid during preshared-key authentication. The zeroization is embedded in Cisco vendor ID generation. "no crypto ca trust " command invalidates the key and it is terminated. This key can be zeroized because it ...
User Guide
Page 12
... " form of the TACACS+ shared secret set command. NVRAM (plaintext) This is terminated. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. Flash (plaintext) This is not FIPS approved. This key NVRAM is zeroized when the "no username...password is an ARAP user password used by erasing the Flash. NVRAM (plaintext), DRAM (plaintext) The TACACS+ shared secret. The router itself ). The authentication key used in the module binary image. One can be zeroized because (plaintext) it is zeroized by overwriting...
... " form of the TACACS+ shared secret set command. NVRAM (plaintext) This is terminated. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. Flash (plaintext) This is not FIPS approved. This key NVRAM is zeroized when the "no username...password is an ARAP user password used by erasing the Flash. NVRAM (plaintext), DRAM (plaintext) The TACACS+ shared secret. The router itself ). The authentication key used in the module binary image. One can be zeroized because (plaintext) it is zeroized by overwriting...
User Guide
Page 13
...Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access ...Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers...
...Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access ...Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers...
User Guide
Page 14
... User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 12 CSP ... 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
... User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 12 CSP ... 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
User Guide
Page 15
.../Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 24 CSP 25 CSP 26 CSP 27 CSP ... and encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
.../Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 24 CSP 25 CSP 26 CSP 27 CSP ... and encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
User Guide
Page 16
... module to zeroize each key and CSP. Note After the router recovers from being released, it is allowed. RSA signature KAT (both signature and verification) - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with that specific tunnel only via the IKE protocol. AES ...KAT - The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key...
... module to zeroize each key and CSP. Note After the router recovers from being released, it is allowed. RSA signature KAT (both signature and verification) - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with that specific tunnel only via the IKE protocol. AES ...KAT - The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key...
User Guide
Page 17
.../hw_inst/aim_inst/aims _ins.pdf • The Crypto Officer must re-apply tamper evidence labels on the router as described in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an alcohol-based cleaning pad. Initial Setup • The Crypto Officer must re-apply tamper evidence... OL-6262-01 17 When removing the tamper evidence label, the Crypto Officer should remove the entire label from the router and clean the cover of the Cisco 2621XM/2651XM Router • Conditional tests - SHA-1 KAT • Conditional tests - The Crypto Officer must ensure that the AIM...
.../hw_inst/aim_inst/aims _ins.pdf • The Crypto Officer must re-apply tamper evidence labels on the router as described in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an alcohol-based cleaning pad. Initial Setup • The Crypto Officer must re-apply tamper evidence... OL-6262-01 17 When removing the tamper evidence label, the Crypto Officer should remove the entire label from the router and clean the cover of the Cisco 2621XM/2651XM Router • Conditional tests - SHA-1 KAT • Conditional tests - The Crypto Officer must ensure that the AIM...
User Guide
Page 18
...privilege level other image may configure the module to use RADIUS or TACACS+, the Crypto-Officer must perform the initial configuration. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 Secure Operation of the...Crypto Officer first engages the "enable" command. If the module is the only allowable image; ah-sha-hmac - Cisco IOS version 12.3(3d) is configured to any IOS image onto the router, this will not be loaded. • The value of the boot field must create the "enable" password ...
...privilege level other image may configure the module to use RADIUS or TACACS+, the Crypto-Officer must perform the initial configuration. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 Secure Operation of the...Crypto Officer first engages the "enable" command. If the module is the only allowable image; ah-sha-hmac - Cisco IOS version 12.3(3d) is configured to any IOS image onto the router, this will not be loaded. • The value of the boot field must create the "enable" password ...
User Guide
Page 19
... assistance and other technical resources. esp-3des - MD-4 and MD-5 for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Remote Access • Telnet access to the module is configured to...must configure the module so that SSH uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to the following algorithms are secured through IPSec. • SSH access to use a FIPS-approved ...
... assistance and other technical resources. esp-3des - MD-4 and MD-5 for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Remote Access • Telnet access to the module is configured to...must configure the module so that SSH uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to the following algorithms are secured through IPSec. • SSH access to use a FIPS-approved ...
User Guide
Page 20
...NETS (6387). In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. The Cisco Technical Support Website on Cisco.com features extensive online support resources. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS...Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool: http://www.cisco.com/en/US/partner/ordering/index.shtml • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco...
...NETS (6387). In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. The Cisco Technical Support Website on Cisco.com features extensive online support resources. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS...Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool: http://www.cisco.com/en/US/partner/ordering/index.shtml • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco...