User Guide
Page 1
Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 0.5 May, 2011 © Copyright 2007 Cisco Systems, Inc. 1 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 0.5 May, 2011 © Copyright 2007 Cisco Systems, Inc. 1 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
User Guide
Page 2
... of Contents 1 INTRODUCTION...3 1.1 PURPOSE ...3 1.2 MODULE VALIDATION LEVEL 3 1.3 REFERENCES...3 1.4 TERMINOLOGY ...4 1.5 DOCUMENT ORGANIZATION 4 2 CISCO 7606-S AND 7609-S ROUTERS WITH SUPERVISOR SUP720-3B 5 2.1 CRYPTOGRAPHIC MODULE PHYSICAL CHARACTERISTICS 5 2.2 MODULE INTERFACES...6 2.3 ROLES AND SERVICES...8 2.3.1 Authentication 9 2.3.2 Services...SYSTEM INITIALIZATION AND CONFIGURATION 21 3.2 PROTOCOLS ...22 3.3 REMOTE ACCESS ...22 © Copyright 2011 Cisco Systems, Inc. 2 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
... of Contents 1 INTRODUCTION...3 1.1 PURPOSE ...3 1.2 MODULE VALIDATION LEVEL 3 1.3 REFERENCES...3 1.4 TERMINOLOGY ...4 1.5 DOCUMENT ORGANIZATION 4 2 CISCO 7606-S AND 7609-S ROUTERS WITH SUPERVISOR SUP720-3B 5 2.1 CRYPTOGRAPHIC MODULE PHYSICAL CHARACTERISTICS 5 2.2 MODULE INTERFACES...6 2.3 ROLES AND SERVICES...8 2.3.1 Authentication 9 2.3.2 Services...SYSTEM INITIALIZATION AND CONFIGURATION 21 3.2 PROTOCOLS ...22 3.3 REMOTE ACCESS ...22 © Copyright 2011 Cisco Systems, Inc. 2 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
User Guide
Page 3
...2 N/A 2 2 2 2 N/A 2 Table 1 Module Validation Level 1.3 References This document deals only with operations and capabilities of the Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B. More information is available on -board crypto enabled in a secure FIPS 140-2 mode. Please refer to operate the...the FIPS PUB 140-2. 1 Introduction 1.1 Purpose This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 7606S and 7609-S Routers with Supervisor SUP720-3B in the technical terms of a FIPS 140-2 cryptographic module security policy. FIPS 140-2 (...
...2 N/A 2 2 2 2 N/A 2 Table 1 Module Validation Level 1.3 References This document deals only with operations and capabilities of the Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B. More information is available on -board crypto enabled in a secure FIPS 140-2 mode. Please refer to operate the...the FIPS PUB 140-2. 1 Introduction 1.1 Purpose This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 7606S and 7609-S Routers with Supervisor SUP720-3B in the technical terms of a FIPS 140-2 cryptographic module security policy. FIPS 140-2 (...
User Guide
Page 4
...configuration for the module. 1.4 Terminology In this document, the Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B and explains the secure configuration and operation of the FIPS 140-2 Submission Package. In addition to as the router, the module, or the system. 1.5 Document Organization The ...provides an overview of the Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B is part of the module. For access to the contacts listed on the Cisco Systems website at www.cisco.com. http://www.cisco.com/en/US/prod/collateral/routers/ps368/ps371/product_data_sheet0900aecd80 57f3c8....
...configuration for the module. 1.4 Terminology In this document, the Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B and explains the secure configuration and operation of the FIPS 140-2 Submission Package. In addition to as the router, the module, or the system. 1.5 Document Organization The ...provides an overview of the Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B is part of the module. For access to the contacts listed on the Cisco Systems website at www.cisco.com. http://www.cisco.com/en/US/prod/collateral/routers/ps368/ps371/product_data_sheet0900aecd80 57f3c8....
User Guide
Page 5
... applications in a 6-slot and 9-slot form factor for deployment at the enterprise edge. 2 Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B The Cisco 7600-S Router is a compact, high-performance router designed in both enterprises and service providers. Cisco 7606-S Router © Copyright 2011 Cisco Systems, Inc. 5 This document may be freely reproduced and distributed whole and intact including...
... applications in a 6-slot and 9-slot form factor for deployment at the enterprise edge. 2 Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B The Cisco 7600-S Router is a compact, high-performance router designed in both enterprises and service providers. Cisco 7606-S Router © Copyright 2011 Cisco Systems, Inc. 5 This document may be freely reproduced and distributed whole and intact including...
User Guide
Page 6
... is illustrated in Figures 1 and 2 above as being the physical enclosure of the functionality described in the figures below: © Copyright 2011 Cisco Systems, Inc. 6 This document may be freely reproduced and distributed whole and intact including this cryptographic boundary. Cisco 7609-S Router The cryptographic boundary is provided by components within this Copyright Notice.
... is illustrated in Figures 1 and 2 above as being the physical enclosure of the functionality described in the figures below: © Copyright 2011 Cisco Systems, Inc. 6 This document may be freely reproduced and distributed whole and intact including this cryptographic boundary. Cisco 7609-S Router The cryptographic boundary is provided by components within this Copyright Notice.
User Guide
Page 7
...engine is operational and active. A major hardware problem has occurred The supervisor engine is in standby mode. © Copyright 2011 Cisco Systems, Inc. 7 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. All chassis environmental ...). SUP 720-3B interfaces The following tables provide more detailed information conveyed by the LEDs on the front and rear panel of the router: Name Status System Active State Green Orange Red Green Orange Red Green Orange Description All diagnostics pass. Figure 3 - A minor hardware...
...engine is operational and active. A major hardware problem has occurred The supervisor engine is in standby mode. © Copyright 2011 Cisco Systems, Inc. 7 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. All chassis environmental ...). SUP 720-3B interfaces The following tables provide more detailed information conveyed by the LEDs on the front and rear panel of the router: Name Status System Active State Green Orange Red Green Orange Red Green Orange Description All diagnostics pass. Figure 3 - A minor hardware...
User Guide
Page 8
...There is available for all modules. Table 2 - A major power failure has occurred. These LEDs are described in the router that operators can be freely reproduced and distributed whole and intact including this Copyright Notice. There are mapped to configure and maintain the...detected. LED Indicators The module provides a number of the router assumes the Crypto Officer role in section 2.3.2 © Copyright 2011 Cisco Systems, Inc. 8 This document may be found in order to the following table: Router Physical Interface Gigabit/SFP Ethernet ports Console Port Gigabit/SFP...
...There is available for all modules. Table 2 - A major power failure has occurred. These LEDs are described in the router that operators can be freely reproduced and distributed whole and intact including this Copyright Notice. There are mapped to configure and maintain the...detected. LED Indicators The module provides a number of the router assumes the Crypto Officer role in section 2.3.2 © Copyright 2011 Cisco Systems, Inc. 8 This document may be found in order to the following table: Router Physical Interface Gigabit/SFP Ethernet ports Console Port Gigabit/SFP...
User Guide
Page 10
...interface N/A User password, Enable password, RADIUS secret, TACACS+ secret, DH shared secret, Router Authentication key, PPP authentication key, SSH private key © Copyright 2011 Cisco Systems, Inc. 10 This document may be freely reproduced and distributed whole and intact including... this Copyright Notice. Each Filter consists of a set of the router. Functions (r, w, x, z) Terminal Functions Directory Services Perform...
...interface N/A User password, Enable password, RADIUS secret, TACACS+ secret, DH shared secret, Router Authentication key, PPP authentication key, SSH private key © Copyright 2011 Cisco Systems, Inc. 10 This document may be freely reproduced and distributed whole and intact including... this Copyright Notice. Each Filter consists of a set of the router. Functions (r, w, x, z) Terminal Functions Directory Services Perform...
User Guide
Page 11
... CO is a multi-chip standalone cryptographic module. Perform the FIPS 140 start-up router configurations, view complete configurations, manager user rights, and restore router configurations. Manage the router (r, w) Perform Self-Tests status. Model 7606-S 7609-S Tamper Evident Labels Opacity Shields 20 1 15 N/A 2.4.1 Module Opacity Table 6... switch on a Catalyst 7606-S chassis that is not rack-mounted, install the chassis in the © Copyright 2011 Cisco Systems, Inc. 11 This document may be installed for the modules are met by the module. TELs To install an...
... CO is a multi-chip standalone cryptographic module. Perform the FIPS 140 start-up router configurations, view complete configurations, manager user rights, and restore router configurations. Manage the router (r, w) Perform Self-Tests status. Model 7606-S 7609-S Tamper Evident Labels Opacity Shields 20 1 15 N/A 2.4.1 Module Opacity Table 6... switch on a Catalyst 7606-S chassis that is not rack-mounted, install the chassis in the © Copyright 2011 Cisco Systems, Inc. 11 This document may be installed for the modules are met by the module. TELs To install an...
User Guide
Page 12
... strap. the installation hardware is sufficient. Proceed to Figure 5 for snap rivet fastener placement. Repeat step 4 and step 5 for the Cisco 7606-S router (part number 800-26211). Remove the opacity shield from the extras supplied in the bag of loss or damage. • Start the ...two thumbscrews in the corresponding threaded holes in case of fasteners. 6. two or three turns is premounted in Cisco 7600 Series Router Installation Guide. Position the rivet sleeve over the air intake side of the chassis so that the thumbscrews are aligned with a chassis...
... strap. the installation hardware is sufficient. Proceed to Figure 5 for snap rivet fastener placement. Repeat step 4 and step 5 for the Cisco 7606-S router (part number 800-26211). Remove the opacity shield from the extras supplied in the bag of loss or damage. • Start the ...two thumbscrews in the corresponding threaded holes in case of fasteners. 6. two or three turns is premounted in Cisco 7600 Series Router Installation Guide. Position the rivet sleeve over the air intake side of the chassis so that the thumbscrews are aligned with a chassis...
User Guide
Page 13
...rack. The CO shall inspect for FIPS 140-2 validation, short-term operation as depicted in the figures below. © Copyright 2011 Cisco Systems, Inc. 13 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Short-term operation requirements...meet overall FIPS 140-2 Level 2 requirements, the module cannot be met at 55 oC. Installing the Opacity Shield on the Cisco 7606-S Router The 7609-S does not require any opacity shields. 2.4.2 Tamper Evidence Once the module has been configured to meet the short-term operations requirements...
...rack. The CO shall inspect for FIPS 140-2 validation, short-term operation as depicted in the figures below. © Copyright 2011 Cisco Systems, Inc. 13 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Short-term operation requirements...meet overall FIPS 140-2 Level 2 requirements, the module cannot be met at 55 oC. Installing the Opacity Shield on the Cisco 7606-S Router The 7609-S does not require any opacity shields. 2.4.2 Tamper Evidence Once the module has been configured to meet the short-term operations requirements...
User Guide
Page 17
12-15 Figure 6 - TEL placement for 7609-S 2.5 Cryptographic Algorithms The module implements a variety of approved and non-approved algorithms. 2.5.1 Approved Cryptographic Algorithms The routers support the following FIPS-2 approved algorithm implementations: © Copyright 2011 Cisco Systems, Inc. 17 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
12-15 Figure 6 - TEL placement for 7609-S 2.5 Cryptographic Algorithms The module implements a variety of approved and non-approved algorithms. 2.5.1 Approved Cryptographic Algorithms The routers support the following FIPS-2 approved algorithm implementations: © Copyright 2011 Cisco Systems, Inc. 17 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
User Guide
Page 18
...8226; DES • DES MAC • MD5 • MD4 • HMAC MD5 • Non Approved RNGs 2.6 Cryptographic Key Management The router securely administers both manually and electronically distributed but entered electronically. key establishment methodology provides between 80 and 156 bits of encryption strength) • RSA ... Approved Algorithms Allowed in FIPS Mode The module supports the following types of key management schemes: © Copyright 2011 Cisco Systems, Inc. 18 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
...8226; DES • DES MAC • MD5 • MD4 • HMAC MD5 • Non Approved RNGs 2.6 Cryptographic Key Management The router securely administers both manually and electronically distributed but entered electronically. key establishment methodology provides between 80 and 156 bits of encryption strength) • RSA ... Approved Algorithms Allowed in FIPS Mode The module supports the following types of key management schemes: © Copyright 2011 Cisco Systems, Inc. 18 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
User Guide
Page 20
The router includes an array of self-tests that are functioning correctly. SSH Private key SSH session key RSA Triple‐ DES/AES 1024‐2048 bits ... Self Tests o POST tests AES Known Answer Test RSA Signature Known Answer Test (both signature/verification) Software/firmware test © Copyright 2011 Cisco Systems, Inc. 20 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
The router includes an array of self-tests that are functioning correctly. SSH Private key SSH session key RSA Triple‐ DES/AES 1024‐2048 bits ... Self Tests o POST tests AES Known Answer Test RSA Signature Known Answer Test (both signature/verification) Software/firmware test © Copyright 2011 Cisco Systems, Inc. 20 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
User Guide
Page 21
The Crypto Officer must be freely reproduced and distributed whole and intact including this router without maintaining the following syntax: line con 0 password [PASSWORD] login local 5. The value of the boot field must perform the initial...for Users. The Crypto Officer must always assign passwords (of operation. 3.1 System Initialization and Configuration 1. no other than its default. © Copyright 2011 Cisco Systems, Inc. 21 This document may be 0x0102. all special characters except '?' From the "configure terminal" command line, the Crypto Officer enters the ...
The Crypto Officer must be freely reproduced and distributed whole and intact including this router without maintaining the following syntax: line con 0 password [PASSWORD] login local 5. The value of the boot field must perform the initial...for Users. The Crypto Officer must always assign passwords (of operation. 3.1 System Initialization and Configuration 1. no other than its default. © Copyright 2011 Cisco Systems, Inc. 21 This document may be 0x0102. all special characters except '?' From the "configure terminal" command line, the Crypto Officer enters the ...
User Guide
Page 22
... to use a FIPS-approved algorithm. SNMPv3 is configured to use RADIUS or TACACS+ for authentication is granted. © Copyright 2011 Cisco Systems, Inc. 22 This document may configure the module to use RADIUS or TACACS+ for authentication. RADIUS and TACACS+ shared secret ...since the key derivation used as by SNMPv3 is not allowed while in FIPS mode of operation. 3.2 Protocols 1. Loading any IOS image onto the router is not FIPS compliant. 3.3 Remote Access 1. 7. The Crypto Officer may be at least 8 characters long. 8. SNMPv3 uses FIPS approved cryptographic ...
... to use a FIPS-approved algorithm. SNMPv3 is configured to use RADIUS or TACACS+ for authentication is granted. © Copyright 2011 Cisco Systems, Inc. 22 This document may configure the module to use RADIUS or TACACS+ for authentication. RADIUS and TACACS+ shared secret ...since the key derivation used as by SNMPv3 is not allowed while in FIPS mode of operation. 3.2 Protocols 1. Loading any IOS image onto the router is not FIPS compliant. 3.3 Remote Access 1. 7. The Crypto Officer may be at least 8 characters long. 8. SNMPv3 uses FIPS approved cryptographic ...
Installation Guide
Page 1
Cisco 7609 Internet Router Installation Guide September 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7812797= Text Part Number: OL-5079-04
Cisco 7609 Internet Router Installation Guide September 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7812797= Text Part Number: OL-5079-04
Installation Guide
Page 2
...in which case users will not occur in a commercial environment. and certain other company. (0303R) Cisco 7609 Internet Router Installation Guide Copyright © 2001-2003, Cisco Systems, Inc. All other of the television or radio. • Move the equipment farther away.... and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, ...
...in which case users will not occur in a commercial environment. and certain other company. (0303R) Cisco 7609 Internet Router Installation Guide Copyright © 2001-2003, Cisco Systems, Inc. All other of the television or radio. • Move the equipment farther away.... and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, ...
Installation Guide
Page 3
... World Wide Web xiii Documentation CD-ROM xiv Ordering Documentation xiv Documentation Feedback xiv Obtaining Technical Assistance xv Cisco.com xv Technical Assistance Center xvi Product Overview 1-1 Warning # 1017 1-2 Cisco 7609 Internet Router 1-4 System Features 1-6 Bandwidth and Port Density 1-6 Redundancy 1-7 Component Hot Swapping 1-8 Cisco 7600 Internet Router Components 1-8 Fan Assembly 1-8 Power Supplies 1-9 Cisco 7609 Internet Router Installation Guide iii
... World Wide Web xiii Documentation CD-ROM xiv Ordering Documentation xiv Documentation Feedback xiv Obtaining Technical Assistance xv Cisco.com xv Technical Assistance Center xvi Product Overview 1-1 Warning # 1017 1-2 Cisco 7609 Internet Router 1-4 System Features 1-6 Bandwidth and Port Density 1-6 Redundancy 1-7 Component Hot Swapping 1-8 Cisco 7600 Internet Router Components 1-8 Fan Assembly 1-8 Power Supplies 1-9 Cisco 7609 Internet Router Installation Guide iii