User Guide
Page 1
...Government requirements for Cryptographic Modules) details the U.S. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Cisco 2621XM/2651XM Router, page 17 • Related Documentation, page 19 • Obtaining Documentation, page 19 • Documentation Feedback, page 20... standard and validation program is the non-proprietary Cryptographic Module Security Policy for the 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP. All rights reserved. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy...
...Government requirements for Cryptographic Modules) details the U.S. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Cisco 2621XM/2651XM Router, page 17 • Related Documentation, page 19 • Obtaining Documentation, page 19 • Documentation Feedback, page 20... standard and validation program is the non-proprietary Cryptographic Module Security Policy for the 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP. All rights reserved. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy...
User Guide
Page 2
...costs. The Cisco Cisco 2621XM and Cisco 2651XM Modular Access Routers with operations and capabilities of the Cisco 2621XM and Cisco 2651XM routers in the technical terms of the Cisco 2621XM and 2651XM routers. For access to these documents, please contact Cisco Systems The 2621XM/2651XM Router Branch... to enhance productivity and merging the voice and data infrastructure to this document, the Cisco 2621XM and Cisco 2651XM routers are dramatically evolving, driven by "The 2621XM/2651XM Router", which details the general features and functionality of a FIPS 140-2 cryptographic...
...costs. The Cisco Cisco 2621XM and Cisco 2651XM Modular Access Routers with operations and capabilities of the Cisco 2621XM and Cisco 2651XM routers in the technical terms of the Cisco 2621XM and 2651XM routers. For access to these documents, please contact Cisco Systems The 2621XM/2651XM Router Branch... to enhance productivity and merging the voice and data infrastructure to this document, the Cisco 2621XM and Cisco 2651XM routers are dramatically evolving, driven by "The 2621XM/2651XM Router", which details the general features and functionality of a FIPS 140-2 cryptographic...
User Guide
Page 3
...except any installed modular WICs or Network Modules. The 2621XM/2651XM Cryptographic Module Figure 1 The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600SERIES 99493 The 2621XM and 2651XM Routers are located on the motherboard. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to accommodate a WIC...the power needed for building virtual private networks or outsourced dial solutions. The cryptographic boundary is provided by the Cisco 2621XM and 2651XM routers. In other words, the cryptographic boundary encompasses all portions of the "backplane" of the case...
...except any installed modular WICs or Network Modules. The 2621XM/2651XM Cryptographic Module Figure 1 The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600SERIES 99493 The 2621XM and 2651XM Routers are located on the motherboard. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to accommodate a WIC...the power needed for building virtual private networks or outsourced dial solutions. The cryptographic boundary is provided by the Cisco 2621XM and 2651XM routers. In other words, the cryptographic boundary encompasses all portions of the "backplane" of the case...
User Guide
Page 4
...the Network Module (just as they only serve as a data input and data output physical interface. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL...'t pass through them. WAN interface cards support a variety of two slots, which are similar to Network Modules in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the cryptographic card; WICs are located above the fixed LAN ports. A WIC is inserted, it ...
...the Network Module (just as they only serve as a data input and data output physical interface. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL...'t pass through them. WAN interface cards support a variety of two slots, which are similar to Network Modules in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the cryptographic card; WICs are located above the fixed LAN ports. A WIC is inserted, it ...
User Guide
Page 5
... SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S FDX W0 Cisco 2621 10/100 ETHERNET 0/1 10/100 ETHERNET 0/0 CONSOLE AUX 10/100BASE-T Ethernet 0/1 (RJ-45) 10/100BASE-T Ethernet 0/0 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) 99495 Table 1 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions LED LINK FDX 100 Mbps...
... SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S FDX W0 Cisco 2621 10/100 ETHERNET 0/1 10/100 ETHERNET 0/0 CONSOLE AUX 10/100BASE-T Ethernet 0/1 (RJ-45) 10/100BASE-T Ethernet 0/0 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) 99495 Table 1 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions LED LINK FDX 100 Mbps...
User Guide
Page 6
... level of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary ... Module Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01 RPS = Redundant...
... level of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary ... Module Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01 RPS = Redundant...
User Guide
Page 7
...services consist of guessing the correct sequence. Both roles are two main roles in the online help for more information. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 The User and..., the User can also use this functionality after authentication to additional accounts, thereby creating additional Crypto Officers. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module ...
...services consist of guessing the correct sequence. Both roles are two main roles in the online help for more information. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 The User and..., the User can also use this functionality after authentication to additional accounts, thereby creating additional Crypto Officers. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module ...
User Guide
Page 8
... to be used for each interface. The top portion of IOS currently running • Network Functions-connect to the IOS executive program. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. User Services A User enters the system by a thick steel chassis. The rear of ...User is entirely encased by accessing the console port with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 8 OL-6262-01 The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied to User data streams on -board LAN connectors, Console...
... to be used for each interface. The top portion of IOS currently running • Network Functions-connect to the IOS executive program. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. User Services A User enters the system by a thick steel chassis. The rear of ...User is entirely encased by accessing the console port with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 8 OL-6262-01 The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied to User data streams on -board LAN connectors, Console...
User Guide
Page 9
Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, must also be above 10 C. Once the router has ... tamper evidence label should be followed to apply tamper evidence labels for NMs and WICs must be ordered from Cisco. Place the fourth label on the router as shown in Figure 6. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in Figure 6. Place the fifth label on the router as...
Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or WIC, must also be above 10 C. Once the router has ... tamper evidence label should be followed to apply tamper evidence labels for NMs and WICs must be ordered from Cisco. Place the fourth label on the router as shown in Figure 6. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in Figure 6. Place the fifth label on the router as...
User Guide
Page 10
...key exchange or Internet Key Exchange (IKE). This key is the seed key for all keys. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. hence, it is terminated. Zeroized after the generation of 400 bites...Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL ...
...key exchange or Internet Key Exchange (IKE). This key is the seed key for all keys. DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. hence, it is terminated. Zeroized after the generation of 400 bites...Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords. The 2621XM/2651XM Router Figure 6 Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL ...
User Guide
Page 11
...the same as above . The zeroization is a public key of the CA. DRAM (plaintext) The IPSec authentication key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 The zeroization is different from the ...that key. This label is the same as mentioned here. This key can be zeroized because it frees the public key label which in Cisco vendor ID generation. These keys are expired either when CRL (certificate revocation list) expires or 5 secs after DRAM generating those keys. ...
...the same as above . The zeroization is a public key of the CA. DRAM (plaintext) The IPSec authentication key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 The zeroization is different from the ...that key. This label is the same as mentioned here. This key can be zeroized because it frees the public key label which in Cisco vendor ID generation. These keys are expired either when CRL (certificate revocation list) expires or 5 secs after DRAM generating those keys. ...
User Guide
Page 12
...to encrypt values of the TACACS+ shared secret set command. However, the algorithm used by executing the "no" form of the CO role. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 19 CSP 19 20 CSP 20 21 CSP 21 22 CSP 22 23 CSP 23... key used as this (plaintext) key because it is used in the DRAM and DRAM not zeroized at runtime. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. The password retrieved from the AAA server and sends it with AIM-VPN/EP FIPS 140-2 Non-Proprietary...
...to encrypt values of the TACACS+ shared secret set command. However, the algorithm used by executing the "no" form of the CO role. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 19 CSP 19 20 CSP 20 21 CSP 21 22 CSP 22 23 CSP 23... key used as this (plaintext) key because it is used in the DRAM and DRAM not zeroized at runtime. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. The password retrieved from the AAA server and sends it with AIM-VPN/EP FIPS 140-2 Non-Proprietary...
User Guide
Page 13
The 2621XM/2651XM Router The services accessing the CSPs, the type of access and which role accesses the CSPs are listed in Table 5. Table 5 Role and Service ... Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13
The 2621XM/2651XM Router The services accessing the CSPs, the type of access and which role accesses the CSPs are listed in Table 5. Table 5 Role and Service ... Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13
User Guide
Page 14
The 2621XM/2651XM Router Table 5 Role and Service Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role ... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
The 2621XM/2651XM Router Table 5 Role and Service Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role ... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
User Guide
Page 15
Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status ... (for digital signatures and encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status ... (for digital signatures and encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
User Guide
Page 16
...by the AIM-VPN/EP, the router only allows plaintext traffic to zeroize each key and CSP. AES KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with that specific tunnel only via the IKE protocol. The Crypto Officer needs to be zeroized. The pre-shared...power-up self-test performed by the IOS image: • Power-up bypass test - RSA signature KAT (both signature and verification) - The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method that is halted and the router outputs status ...
...by the AIM-VPN/EP, the router only allows plaintext traffic to zeroize each key and CSP. AES KAT - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with that specific tunnel only via the IKE protocol. The Crypto Officer needs to be zeroized. The pre-shared...power-up self-test performed by the IOS image: • Power-up bypass test - RSA signature KAT (both signature and verification) - The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method that is halted and the router outputs status ...
User Guide
Page 17
...up tests - Continuous random number generator tests Self-tests performed by opening the chassis and visually confirming the presence of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 17 Firmware integrity test...remove the entire label from the FIPS approved mode of any grease, dirt, or oil with an alcohol-based cleaning pad. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on the router as described ...
...up tests - Continuous random number generator tests Self-tests performed by opening the chassis and visually confirming the presence of the Cisco 2621XM/2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 17 Firmware integrity test...remove the entire label from the FIPS approved mode of any grease, dirt, or oil with an alcohol-based cleaning pad. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on the router as described ...
User Guide
Page 18
... Cryptographic Algorithms • There are two types of key management method that are allowed in a FIPS 140-2 configuration: - esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 If the module is the only... allowable image; Cisco IOS version 12.3(3d) is configured to the ROM monitor and automatically boots the Cisco IOS image. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must define RADIUS or TACACS+ shared...
... Cryptographic Algorithms • There are two types of key management method that are allowed in a FIPS 140-2 configuration: - esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 If the module is the only... allowable image; Cisco IOS version 12.3(3d) is configured to the ROM monitor and automatically boots the Cisco IOS image. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must define RADIUS or TACACS+ shared...
User Guide
Page 19
... provides several ways to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non...
... provides several ways to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non...
User Guide
Page 20
....shtml • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by writing to bug-doc@cisco.com. Cisco 2621XM and Cisco 2651XM Modular Access Routers... with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. You...
....shtml • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by writing to bug-doc@cisco.com. Cisco 2621XM and Cisco 2651XM Modular Access Routers... with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 20 OL-6262-01 In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. You...