User Guide
Page 1
Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 0.5 May, 2011 © Copyright 2007 Cisco Systems, Inc. 1 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 0.5 May, 2011 © Copyright 2007 Cisco Systems, Inc. 1 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
User Guide
Page 2
...of Contents 1 INTRODUCTION...3 1.1 PURPOSE ...3 1.2 MODULE VALIDATION LEVEL 3 1.3 REFERENCES...3 1.4 TERMINOLOGY ...4 1.5 DOCUMENT ORGANIZATION 4 2 CISCO 7606-S AND 7609-S ROUTERS WITH SUPERVISOR SUP720-3B 5 2.1 CRYPTOGRAPHIC MODULE PHYSICAL CHARACTERISTICS 5 2.2 MODULE INTERFACES...6 2.3 ROLES AND SERVICES...8 2.3.1 Authentication 9 2.3.2...INITIALIZATION AND CONFIGURATION 21 3.2 PROTOCOLS ...22 3.3 REMOTE ACCESS ...22 © Copyright 2011 Cisco Systems, Inc. 2 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. User Services ...9 b....
...of Contents 1 INTRODUCTION...3 1.1 PURPOSE ...3 1.2 MODULE VALIDATION LEVEL 3 1.3 REFERENCES...3 1.4 TERMINOLOGY ...4 1.5 DOCUMENT ORGANIZATION 4 2 CISCO 7606-S AND 7609-S ROUTERS WITH SUPERVISOR SUP720-3B 5 2.1 CRYPTOGRAPHIC MODULE PHYSICAL CHARACTERISTICS 5 2.2 MODULE INTERFACES...6 2.3 ROLES AND SERVICES...8 2.3.1 Authentication 9 2.3.2...INITIALIZATION AND CONFIGURATION 21 3.2 PROTOCOLS ...22 3.3 REMOTE ACCESS ...22 © Copyright 2011 Cisco Systems, Inc. 2 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. User Services ...9 b....
User Guide
Page 3
... 11 Mitigation of Other Attacks Overall module validation level Level 2 2 3 2 2 N/A 2 2 2 2 N/A 2 Table 1 Module Validation Level 1.3 References This document deals only with operations and capabilities of the Cisco 7606-S and 7609-S Routers with SUP720-3B; More information is available on -board crypto enabled in the technical terms of validation for cryptographic modules.
... 11 Mitigation of Other Attacks Overall module validation level Level 2 2 3 2 2 N/A 2 2 2 2 N/A 2 Table 1 Module Validation Level 1.3 References This document deals only with operations and capabilities of the Cisco 7606-S and 7609-S Routers with SUP720-3B; More information is available on -board crypto enabled in the technical terms of validation for cryptographic modules.
User Guide
Page 4
... document, the Submission Package contains: Vendor Evidence document Finite State Machine Other supporting documentation as additional references This document provides an overview of the Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B is part of the module. This introduction section is releasable only under appropriate nondisclosure agreements. With the exception of this...
... document, the Submission Package contains: Vendor Evidence document Finite State Machine Other supporting documentation as additional references This document provides an overview of the Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B is part of the module. This introduction section is releasable only under appropriate nondisclosure agreements. With the exception of this...
User Guide
Page 5
..., Inc. 5 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B The Cisco 7600-S Router is a compact, high-performance router designed in both enterprises and service providers. It enables Carrier Ethernet service providers to meet the requirements of both the residential and...
..., Inc. 5 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 Cisco 7606-S and 7609-S Routers with Supervisor SUP720-3B The Cisco 7600-S Router is a compact, high-performance router designed in both enterprises and service providers. It enables Carrier Ethernet service providers to meet the requirements of both the residential and...
User Guide
Page 6
One 10/100/1000 Ethernet port 3. Cisco 7609-S Router The cryptographic boundary is provided by components within this cryptographic boundary. Four Status LEDs 5. Three Link LEDs 7. Two CompactFlash Type II slots (disabled via TEL)...6. The cryptographic boundary is illustrated in Figures 1 and 2 above as being the physical enclosure of the functionality described in the figures below: © Copyright 2011 Cisco Systems, Inc. 6 This document may be freely reproduced and distributed whole and intact including this publication is defined as the dark border around the module...
One 10/100/1000 Ethernet port 3. Cisco 7609-S Router The cryptographic boundary is provided by components within this cryptographic boundary. Four Status LEDs 5. Three Link LEDs 7. Two CompactFlash Type II slots (disabled via TEL)...6. The cryptographic boundary is illustrated in Figures 1 and 2 above as being the physical enclosure of the functionality described in the figures below: © Copyright 2011 Cisco Systems, Inc. 6 This document may be freely reproduced and distributed whole and intact including this publication is defined as the dark border around the module...
User Guide
Page 7
...running diagnostics (normal initialization sequence) The diagnostic test (including FIPS POSTs) failed. The supervisor engine is in standby mode. © Copyright 2011 Cisco Systems, Inc. 7 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. All chassis environmental monitors are reporting ...interfaces The following tables provide more detailed information conveyed by the LEDs on the front and rear panel of the router: Name Status System Active State Green Orange Red Green Orange Red Green Orange Description All diagnostics pass.
...running diagnostics (normal initialization sequence) The diagnostic test (including FIPS POSTs) failed. The supervisor engine is in standby mode. © Copyright 2011 Cisco Systems, Inc. 7 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. All chassis environmental monitors are reporting ...interfaces The following tables provide more detailed information conveyed by the LEDs on the front and rear panel of the router: Name Status System Active State Green Orange Red Green Orange Red Green Orange Description All diagnostics pass.
User Guide
Page 8
...green when the installed Flash PC card is being accessed and is insufficient power for all modules to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. Power management is functioning normally and sufficient power ...Officer role and 2. There is performing either a read operation or a write operation. running self-diagnostics. A detailed list of the router assumes the Crypto Officer role in section 2.3.2 © Copyright 2011 Cisco Systems, Inc. 8 This document may be found in order to power up mode;
...green when the installed Flash PC card is being accessed and is insufficient power for all modules to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. Power management is functioning normally and sufficient power ...Officer role and 2. There is performing either a read operation or a write operation. running self-diagnostics. A detailed list of the router assumes the Crypto Officer role in section 2.3.2 © Copyright 2011 Cisco Systems, Inc. 8 This document may be found in order to power up mode;
User Guide
Page 10
...start-up tests on each interface. Keys & CSPs User password, Enable password, RADIUS secret, TACACS+ secret, DH shared secret, Router Authentication key, PPP authentication key, SSH private key Define Rules and Filters View Status Functions (r, x) Create packet Filters that are ...view physical interface N/A User password, Enable password, RADIUS secret, TACACS+ secret, DH shared secret, Router Authentication key, PPP authentication key, SSH private key © Copyright 2011 Cisco Systems, Inc. 10 This document may be freely reproduced and distributed whole and intact including this ...
...start-up tests on each interface. Keys & CSPs User password, Enable password, RADIUS secret, TACACS+ secret, DH shared secret, Router Authentication key, PPP authentication key, SSH private key Define Rules and Filters View Status Functions (r, x) Create packet Filters that are ...view physical interface N/A User password, Enable password, RADIUS secret, TACACS+ secret, DH shared secret, Router Authentication key, PPP authentication key, SSH private key © Copyright 2011 Cisco Systems, Inc. 10 This document may be freely reproduced and distributed whole and intact including this ...
User Guide
Page 11
...opacity shield is not rack-mounted, install the chassis in a FIPS Approved mode of any unused tamper evident labels. If your Cisco 7606-S chassis is designed to provide the required tamper evidence. The FIPS 140-2 level 2 physical security requirements for the module ... flash memory, manually back up tests on a Catalyst 7606-S chassis that is a multi-chip standalone cryptographic module. Manage the router (r, w) Perform Self-Tests status. Model 7606-S 7609-S Tamper Evident Labels Opacity Shields 20 1 15 N/A 2.4.1 Module Opacity Table 6 - Log off using the power switch on ...
...opacity shield is not rack-mounted, install the chassis in a FIPS Approved mode of any unused tamper evident labels. If your Cisco 7606-S chassis is designed to provide the required tamper evidence. The FIPS 140-2 level 2 physical security requirements for the module ... flash memory, manually back up tests on a Catalyst 7606-S chassis that is a multi-chip standalone cryptographic module. Manage the router (r, w) Perform Self-Tests status. Model 7606-S 7609-S Tamper Evident Labels Opacity Shields 20 1 15 N/A 2.4.1 Module Opacity Table 6 - Log off using the power switch on ...
User Guide
Page 12
...the following items: • An opacity shield assembly for the remaining three snap rivet fasteners. © Copyright 2011 Cisco Systems, Inc. 12 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Refer...two pieces of loss or damage. • Start the two thumbscrews in the corresponding threaded holes in Cisco 7600 Series Router Installation Guide. two or three turns is no bag; Do not thread the thumbscrews too far into the... You might need to step 4. Repeat step 4 and step 5 for the Cisco 7606-S router (part number 800-26211).
...the following items: • An opacity shield assembly for the remaining three snap rivet fasteners. © Copyright 2011 Cisco Systems, Inc. 12 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Refer...two pieces of loss or damage. • Start the two thumbscrews in the corresponding threaded holes in Cisco 7600 Series Router Installation Guide. two or three turns is no bag; Do not thread the thumbscrews too far into the... You might need to step 4. Repeat step 4 and step 5 for the Cisco 7606-S router (part number 800-26211).
User Guide
Page 13
Installing the Opacity Shield on the Cisco 7606-S Router The 7609-S does not require any opacity shields. 2.4.2 Tamper Evidence Once the module has been configured to meet the short-term operations requirements at 40 oC. The ...CO shall inspect for FIPS 140-2 validation, short-term operation as depicted in the figures below. © Copyright 2011 Cisco Systems, Inc. 13 This document...
Installing the Opacity Shield on the Cisco 7606-S Router The 7609-S does not require any opacity shields. 2.4.2 Tamper Evidence Once the module has been configured to meet the short-term operations requirements at 40 oC. The ...CO shall inspect for FIPS 140-2 validation, short-term operation as depicted in the figures below. © Copyright 2011 Cisco Systems, Inc. 13 This document...
User Guide
Page 17
TEL placement for 7609-S 2.5 Cryptographic Algorithms The module implements a variety of approved and non-approved algorithms. 2.5.1 Approved Cryptographic Algorithms The routers support the following FIPS-2 approved algorithm implementations: © Copyright 2011 Cisco Systems, Inc. 17 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 12-15 Figure 6 -
TEL placement for 7609-S 2.5 Cryptographic Algorithms The module implements a variety of approved and non-approved algorithms. 2.5.1 Approved Cryptographic Algorithms The routers support the following FIPS-2 approved algorithm implementations: © Copyright 2011 Cisco Systems, Inc. 17 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 12-15 Figure 6 -
User Guide
Page 18
...approved mode: • Diffie-Hellman (key agreement; The module supports the following types of key management schemes: © Copyright 2011 Cisco Systems, Inc. 18 This document may be used for use in FIPS mode of overwriting the memory that shall not be freely reproduced...; DES • DES MAC • MD5 • MD4 • HMAC MD5 • Non Approved RNGs 2.6 Cryptographic Key Management The router securely administers both manually and electronically distributed but entered electronically. Algorithm IOS AES 1634 Triple-DES 1070 SHS 1439 HMAC 961 DRBG 88 RSA 808...
...approved mode: • Diffie-Hellman (key agreement; The module supports the following types of key management schemes: © Copyright 2011 Cisco Systems, Inc. 18 This document may be used for use in FIPS mode of overwriting the memory that shall not be freely reproduced...; DES • DES MAC • MD5 • MD4 • HMAC MD5 • Non Approved RNGs 2.6 Cryptographic Key Management The router securely administers both manually and electronically distributed but entered electronically. Algorithm IOS AES 1634 Triple-DES 1070 SHS 1439 HMAC 961 DRBG 88 RSA 808...
User Guide
Page 20
...; RSA Signature Known Answer Test (both signature/verification) Software/firmware test © Copyright 2011 Cisco Systems, Inc. 20 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The router includes an array of self-tests that are functioning correctly. power cycle the device Zeroized upon...
...; RSA Signature Known Answer Test (both signature/verification) Software/firmware test © Copyright 2011 Cisco Systems, Inc. 20 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The router includes an array of self-tests that are functioning correctly. power cycle the device Zeroized upon...
User Guide
Page 21
...mode of at least 8 characters) to any privilege level other image should be freely reproduced and distributed whole and intact including this router without maintaining the following syntax at least 8 characters (all the Level 2 requirements for the Crypto Officer role. all special characters ...; approved RNGs 3 Secure Operation The module meets all digits; Operating this Copyright Notice. no other than its default. © Copyright 2011 Cisco Systems, Inc. 21 This document may be loaded. 2. The Crypto Officer must be at the "#" prompt: enable secret [PASSWORD] 4....
...mode of at least 8 characters) to any privilege level other image should be freely reproduced and distributed whole and intact including this router without maintaining the following syntax at least 8 characters (all the Level 2 requirements for the Crypto Officer role. all special characters ...; approved RNGs 3 Secure Operation The module meets all digits; Operating this Copyright Notice. no other than its default. © Copyright 2011 Cisco Systems, Inc. 21 This document may be loaded. 2. The Crypto Officer must be at the "#" prompt: enable secret [PASSWORD] 4....
User Guide
Page 22
...and intact including this Copyright Notice. Configuring the module to be at least 8 characters long. 8. Loading any IOS image onto the router is allowed in FIPS mode of operation. SNMPv3 uses FIPS approved cryptographic algorithms however from a FIPS perspective SNMPv3 is considered to use RADIUS... or TACACS+ for authentication. SSH access to the module is only allowed if SSH is granted. © Copyright 2011 Cisco Systems, Inc. 22 This document may configure the module to use RADIUS or TACACS+ for authentication is not FIPS compliant. 3.3 Remote Access...
...and intact including this Copyright Notice. Configuring the module to be at least 8 characters long. 8. Loading any IOS image onto the router is allowed in FIPS mode of operation. SNMPv3 uses FIPS approved cryptographic algorithms however from a FIPS perspective SNMPv3 is considered to use RADIUS... or TACACS+ for authentication. SSH access to the module is only allowed if SSH is granted. © Copyright 2011 Cisco Systems, Inc. 22 This document may configure the module to use RADIUS or TACACS+ for authentication is not FIPS compliant. 3.3 Remote Access...
Installation Guide
Page 1
Cisco 7609 Internet Router Installation Guide September 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7812797= Text Part Number: OL-5079-04
Cisco 7609 Internet Router Installation Guide September 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7812797= Text Part Number: OL-5079-04
Installation Guide
Page 2
... equipment has been tested and found to comply with Cisco's installation instructions, it off. Copyright ã 2003 Cisco Systems, Inc. All other company. (0303R) Cisco 7609 Internet Router Installation Guide Copyright © 2001-2003, Cisco Systems, Inc. These limits are trademarks of Cisco Systems, Inc. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT...
... equipment has been tested and found to comply with Cisco's installation instructions, it off. Copyright ã 2003 Cisco Systems, Inc. All other company. (0303R) Cisco 7609 Internet Router Installation Guide Copyright © 2001-2003, Cisco Systems, Inc. These limits are trademarks of Cisco Systems, Inc. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT...
Installation Guide
Page 3
... World Wide Web xiii Documentation CD-ROM xiv Ordering Documentation xiv Documentation Feedback xiv Obtaining Technical Assistance xv Cisco.com xv Technical Assistance Center xvi Product Overview 1-1 Warning # 1017 1-2 Cisco 7609 Internet Router 1-4 System Features 1-6 Bandwidth and Port Density 1-6 Redundancy 1-7 Component Hot Swapping 1-8 Cisco 7600 Internet Router Components 1-8 Fan Assembly 1-8 Power Supplies 1-9 Cisco 7609 Internet Router Installation Guide iii
... World Wide Web xiii Documentation CD-ROM xiv Ordering Documentation xiv Documentation Feedback xiv Obtaining Technical Assistance xv Cisco.com xv Technical Assistance Center xvi Product Overview 1-1 Warning # 1017 1-2 Cisco 7609 Internet Router 1-4 System Features 1-6 Bandwidth and Port Density 1-6 Redundancy 1-7 Component Hot Swapping 1-8 Cisco 7600 Internet Router Components 1-8 Fan Assembly 1-8 Power Supplies 1-9 Cisco 7609 Internet Router Installation Guide iii