User Guide
Page 1
... 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version 1.3 June 2, 2004 Introduction This is available on the NIST website at http://csrc.nist.gov/cryptval/. FIPS 140-2 (Federal Information Processing Standards Publication 140-2-Security Requirements for cryptographic modules. Cisco 2621XM and Cisco 2651XM Modular Access...
... 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version 1.3 June 2, 2004 Introduction This is available on the NIST website at http://csrc.nist.gov/cryptval/. FIPS 140-2 (Federal Information Processing Standards Publication 140-2-Security Requirements for cryptographic modules. Cisco 2621XM and Cisco 2651XM Modular Access...
User Guide
Page 2
... referred to as additional references This document provides an overview of the Cisco 2621XM and 2651XM routers and explains the secure configuration and operation of a FIPS 140-2 cryptographic module security policy. The 2621XM/2651XM Router References This document deals only with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 2 OL-6262-01 The...
... referred to as additional references This document provides an overview of the Cisco 2621XM and 2651XM routers and explains the secure configuration and operation of a FIPS 140-2 cryptographic module security policy. The 2621XM/2651XM Router References This document deals only with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 2 OL-6262-01 The...
User Guide
Page 3
... or Network Module and the motherboard/daughterboard that meets FIPS 140-2 Level 2 requirements. The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card. The AIM-VPN/EP is located inside the module chassis, and is installed directly on the rear panel as... shown in this cryptographic boundary. Cisco IOS features such as encompassing the "top," "front," "left," "right," and...
... or Network Module and the motherboard/daughterboard that meets FIPS 140-2 Level 2 requirements. The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card. The AIM-VPN/EP is located inside the module chassis, and is installed directly on the rear panel as... shown in this cryptographic boundary. Cisco IOS features such as encompassing the "top," "front," "left," "right," and...
User Guide
Page 4
...for local system access and an auxiliary port for remote system access or dial backup using a modem. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL ...that the fixed LAN ports do not interface with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 4 OL-6262-01 The expansion bus interacts with the PCI bridge in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the cryptographic card; Network modules ...
...for local system access and an auxiliary port for remote system access or dial backup using a modem. The 2621XM/2651XM Router Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces WIC slots Cisco 2650 99494 W1 SERIAL 1 CONN SERIAL 0 SEE MANUAL BEFORE INSTALLATION WIC CONN 2A/S SERIAL 1 CONN SERIAL ...that the fixed LAN ports do not interface with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 4 OL-6262-01 The expansion bus interacts with the PCI bridge in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the cryptographic card; Network modules ...
User Guide
Page 5
... POWER RPS ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1 CONN SERIAL 0 SEE MANUAL ... not the router is booted, if the redundant power is established Figure 4 shows the front panel LEDs, which provide overall status of the router: Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 5
... POWER RPS ACTIVITY Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router's operation. The 2621XM/2651XM Router Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs 100 Mbps LED Link LED 100 Mbps LED FDX Link FDX LED LED LED SERIAL 1 CONN SERIAL 0 SEE MANUAL ... not the router is booted, if the redundant power is established Figure 4 shows the front panel LEDs, which provide overall status of the router: Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 5
User Guide
Page 6
... the level of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE... Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01
... the level of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE... Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 6 OL-6262-01
User Guide
Page 7
...the FIPS mode. If only integers 0-9 are authenticated by providing a valid Crypto Officer username and password. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface LAN ...configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 Both roles are used in the router...
...the FIPS mode. If only integers 0-9 are authenticated by providing a valid Crypto Officer username and password. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface LAN ...configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 Both roles are used in the router...
User Guide
Page 8
User Services A User enters the system by a thick steel chassis. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. If the password is correct, the User is entirely encased by accessing the console port with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 8 OL-6262-01 The services ... removed (see Figure 5) to allow plaintext packets to be used for each interface. The top portion of this document. The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied to the motherboard, memory, and expansion slots.
User Services A User enters the system by a thick steel chassis. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. If the password is correct, the User is entirely encased by accessing the console port with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 8 OL-6262-01 The services ... removed (see Figure 5) to allow plaintext packets to be used for each interface. The top portion of this document. The 2621XM/2651XM Router • Define Rules and Filters-create packet Filters that are applied to the motherboard, memory, and expansion slots.
User Guide
Page 9
... router. Any attempt to remove a WAN interface card will leave tamper evidence. The tamper evidence label should be above 10 C. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in order to operate in Figure 6. Alcohol-based cleaning pads are included with each ...on the router as shown in a FIPS compliant mode. The temperature of tampering. The tamper evidence label should be populated with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 9 The same procedure mentioned below to apply tamper evidence labels for NMs ...
... router. Any attempt to remove a WAN interface card will leave tamper evidence. The tamper evidence label should be above 10 C. Cisco 2621XM and Cisco 2651XM Modular Access Routers with an appropriate slot cover in order to operate in Figure 6. Alcohol-based cleaning pads are included with each ...on the router as shown in a FIPS compliant mode. The temperature of tampering. The tamper evidence label should be populated with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 9 The same procedure mentioned below to apply tamper evidence labels for NMs ...
User Guide
Page 10
... painted surface and metal of 400 bites; Keys are produced from a special thin gauge vinyl with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 10 OL-6262-01 DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. Tamper evidence seals can also be zeroized by the password-protection...
... painted surface and metal of 400 bites; Keys are produced from a special thin gauge vinyl with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 10 OL-6262-01 DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with self-adhesive backing. Tamper evidence seals can also be zeroized by the password-protection...
User Guide
Page 11
... IKE. This key is a public key; however, it . DRAM (plaintext) The IPSec authentication key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 This key does not need to generate IKE skeyid during preshared.... "no crypto ca trust " command invalidates the key and it frees the public key label which in essence prevent use of the CA. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP 11 12 ...
... IKE. This key is a public key; however, it . DRAM (plaintext) The IPSec authentication key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11 This key does not need to generate IKE skeyid during preshared.... "no crypto ca trust " command invalidates the key and it frees the public key label which in essence prevent use of the CA. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP 11 12 ...
User Guide
Page 12
...form of the configuration file. This shared secret is zeroized NVRAM by overwriting it is used to the peer. However, it with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 12 OL-6262-01 A DRAM function uses this key) from the local database (on ...is used as this key in the module binary image. NVRAM (plaintext) The RADIUS shared secret. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. (plaintext) The ciphertext password of the TACACS+ shared secret set command. Zeroized after the ...
...form of the configuration file. This shared secret is zeroized NVRAM by overwriting it is used to the peer. However, it with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 12 OL-6262-01 A DRAM function uses this key) from the local database (on ...is used as this key in the module binary image. NVRAM (plaintext) The RADIUS shared secret. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. (plaintext) The ciphertext password of the TACACS+ shared secret set command. Zeroized after the ...
User Guide
Page 13
... Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13 The 2621XM/2651XM Router The services accessing the CSPs, the type of access and which role accesses the...
... Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 13 The 2621XM/2651XM Router The services accessing the CSPs, the type of access and which role accesses the...
User Guide
Page 14
The 2621XM/2651XM Router Table 5 Role and Service Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure ... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
The 2621XM/2651XM Router Table 5 Role and Service Access to CSPs (continued) Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure ... Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
User Guide
Page 15
Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions ... (for digital signatures and encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status Functions ... (for digital signatures and encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15
User Guide
Page 16
... to insure all secure data transmission is protected by the IOS image: • Power-up bypass test - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with all the pre-shared keys. The pre-shared keys are directly associated with RSA-signature authentication. Self-tests ...performed by a password. AES KAT - The router includes an array of a power-up self-test performed by the AIM-VPN/EP, the ...
... to insure all secure data transmission is protected by the IOS image: • Power-up bypass test - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with all the pre-shared keys. The pre-shared keys are directly associated with RSA-signature authentication. Self-tests ...performed by a password. AES KAT - The router includes an array of a power-up self-test performed by the AIM-VPN/EP, the ...
User Guide
Page 17
... - Continuous random number generator test Secure Operation of operation. The Crypto Officer must ensure that the AIM-VPN/EP cryptographic accelerator card is installed in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 17 When removing the tamper evidence label...
... - Continuous random number generator test Secure Operation of operation. The Crypto Officer must ensure that the AIM-VPN/EP cryptographic accelerator card is installed in FIPS mode. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 17 When removing the tamper evidence label...
User Guide
Page 18
... to the module without the password will put the router into a non-FIPS mode of operation. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 This setting disables break from the console to ...Algorithms • There are two types of key management method that are allowed in a FIPS 140-2 configuration: - Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no other than its default. ...
... to the module without the password will put the router into a non-FIPS mode of operation. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 This setting disables break from the console to ...Algorithms • There are two types of key management method that are allowed in a FIPS 140-2 configuration: - Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no other than its default. ...
User Guide
Page 19
... several ways to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security...
... several ways to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security...
User Guide
Page 20
... America, by writing to bug-doc@cisco.com. Documentation Feedback You can submit comments by using the response card (if present) behind the front cover of your reseller. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy... 20 OL-6262-01 In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. You can ...
... America, by writing to bug-doc@cisco.com. Documentation Feedback You can submit comments by using the response card (if present) behind the front cover of your reseller. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy... 20 OL-6262-01 In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. You can ...