User Guide
Page 2
... document provides an overview of the Cisco 2621XM and 2651XM routers and explains the secure configuration and operation of a FIPS 140-2 cryptographic module security policy. The Cisco 2621XM and 2651XM routers offer versatility, integration, and security to branch offices. The 2621XM/2651XM Router References This document deals only with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security...
... document provides an overview of the Cisco 2621XM and 2651XM routers and explains the secure configuration and operation of a FIPS 140-2 cryptographic module security policy. The Cisco 2621XM and 2651XM routers offer versatility, integration, and security to branch offices. The 2621XM/2651XM Router References This document deals only with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security...
User Guide
Page 7
... authentication and they are authenticated by providing a valid User username and password. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 Both roles are used without repetition for the configuration and maintenance of guessing the correct sequence. A complete description of all the management...
... authentication and they are authenticated by providing a valid User username and password. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 Both roles are used without repetition for the configuration and maintenance of guessing the correct sequence. A complete description of all the management...
User Guide
Page 8
...each IP range or allow plaintext packets to be removed (see Figure 5) to allow access to the motherboard, memory, and expansion slots. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. Each Filter consists of a set of Rules, which define a set of IOS currently running ...the outer, manually back up the configuration tables for their password. If the password is correct, the User is entirely encased by accessing the console port with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 8 OL-6262-01 The 2621XM/2651XM Router • Define Rules and ...
...each IP range or allow plaintext packets to be removed (see Figure 5) to allow access to the motherboard, memory, and expansion slots. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. Each Filter consists of a set of Rules, which define a set of IOS currently running ...the outer, manually back up the configuration tables for their password. If the password is correct, the User is entirely encased by accessing the console port with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 8 OL-6262-01 The 2621XM/2651XM Router • Define Rules and ...
User Guide
Page 9
... labels as shown in order to remove a WAN interface card will leave tamper evidence. Alcohol-based cleaning pads are included with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 9 Place the second label on the router as shown in Figure 6. ...requirements, the router cannot be accessed without signs of the router. Once the router has been configured in a FIPS compliant mode. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or ...
... labels as shown in order to remove a WAN interface card will leave tamper evidence. Alcohol-based cleaning pads are included with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 9 Place the second label on the router as shown in Figure 6. ...requirements, the router cannot be accessed without signs of the router. Once the router has been configured in a FIPS compliant mode. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not populated with a NM or ...
User Guide
Page 12
DRAM (plaintext) The RSA public key used in SSH. However, it with a new password. (plaintext) The ciphertext password of the configuration file. The authentication key used in PPP. The key is identical to encrypt values of the CO role. This password is zeroized by overwriting ... and Cisco 2651XM Modular Access Routers with a new password. It is zeroized when the SSH session DRAM is an ARAP user password used by overwriting it with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 12 OL-6262-01 This key can turn off the router to encrypt this key) from ...
DRAM (plaintext) The RSA public key used in SSH. However, it with a new password. (plaintext) The ciphertext password of the configuration file. The authentication key used in PPP. The key is identical to encrypt values of the CO role. This password is zeroized by overwriting ... and Cisco 2651XM Modular Access Routers with a new password. It is zeroized when the SSH session DRAM is an ARAP user password used by overwriting it with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 12 OL-6262-01 This key can turn off the router to encrypt this key) from ...
User Guide
Page 13
... Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP...
... Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item CSP 1 r CSP 2 r CSP 3 r CSP 4 r CSP 5 r CSP 6 r CSP 7 r CSP 8 r CSP 9 r CSP 10 r CSP 11 r dr w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP...
User Guide
Page 14
...Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM... Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
...Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d r r w w d d r r w d r r w d Cisco 2621XM and Cisco 2651XM... Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 14 OL-6262-01
User Guide
Page 15
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status...
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-Officer Role Configure the Router Define Rules and Filters Status...
User Guide
Page 18
...• The Crypto Officer may be loaded. • The value of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no service password-recovery end show version Note Once Password Recovery is disabled, ...role. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 This setting disables break from the console to use RADIUS or TACACS+ for authentication. System Initialization and Configuration • The Crypto...
...• The Crypto Officer may be loaded. • The value of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no service password-recovery end show version Note Once Password Recovery is disabled, ...role. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 This setting disables break from the console to use RADIUS or TACACS+ for authentication. System Initialization and Configuration • The Crypto...
User Guide
Page 19
...uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to use a FIPS-approved algorithm. Related Documentation - The Crypto officer must configure the module so that any remote connections via a secure IPSec tunnel ... from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS...
...uses only FIPS-approved algorithms. Related Documentation For more information about the Cisco 2621XM and Cisco 2651XM modular access routers, refer to use a FIPS-approved algorithm. Related Documentation - The Crypto officer must configure the module so that any remote connections via a secure IPSec tunnel ... from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS...
User Guide
Page 21
...the fastest way to a Cisco TAC engineer. Severity 4 (S4)-You require information or assistance with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 21 Obtaining Technical Assistance Cisco Technical Support Website The Cisco Technical Support Website provides ... network is little or no effect on the Cisco Technical Support Website requires a Cisco.com user ID and password. Cisco 2621XM and Cisco 2651XM Modular Access Routers with Cisco product capabilities, installation, or configuration. You and Cisco will commit resources during normal business hours to ...
...the fastest way to a Cisco TAC engineer. Severity 4 (S4)-You require information or assistance with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 21 Obtaining Technical Assistance Cisco Technical Support Website The Cisco Technical Support Website provides ... network is little or no effect on the Cisco Technical Support Website requires a Cisco.com user ID and password. Cisco 2621XM and Cisco 2651XM Modular Access Routers with Cisco product capabilities, installation, or configuration. You and Cisco will commit resources during normal business hours to ...
User Guide
Page 22
...configuration examples, customer case studies, certification and training information, and links to help readers make sound technology investment decisions. You can use technology to Cisco Press at this URL: http://www.cisco.com/en/US/learning/index.html Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN.../EP FIPS 140-2 Non-Proprietary Security Policy 22 OL-6262-01 Visit Cisco Marketplace, the company store, ...
...configuration examples, customer case studies, certification and training information, and links to help readers make sound technology investment decisions. You can use technology to Cisco Press at this URL: http://www.cisco.com/en/US/learning/index.html Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN.../EP FIPS 140-2 Non-Proprietary Security Policy 22 OL-6262-01 Visit Cisco Marketplace, the company store, ...
Hardware Installation Guide
Page 71
...Facility" section on page 3-26 • Setup command facility. To learn how to use the CLI to perform additional configuration. you can also access the Cisco 2600 series routers quick start guides online at any point you may enter a question mark '?' Would you for help... with a virtual private network (VPN) bundle, Cisco Router and Security Device Manager is now available Press RETURN to the quick start guide that shipped with your system has booted in square brackets '[]'. See the "Initial Configuration Using SDM" section on page 3-26. • ...
...Facility" section on page 3-26 • Setup command facility. To learn how to use the CLI to perform additional configuration. you can also access the Cisco 2600 series routers quick start guides online at any point you may enter a question mark '?' Would you for help... with a virtual private network (VPN) bundle, Cisco Router and Security Device Manager is now available Press RETURN to the quick start guide that shipped with your system has booted in square brackets '[]'. See the "Initial Configuration Using SDM" section on page 3-26. • ...