User Guide
Page 1
... Publication 140-2-Security Requirements for the 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP. Government requirements for cryptographic modules. This document contains the following sections: • Introduction, page 1 • The 2621XM/2651XM Router, page 2 • Secure Operation of the 2621XM and 2651XM routers. All rights reserved. Cisco Systems, Inc. Firmware Version: IOS 12.3(3d...
... Publication 140-2-Security Requirements for the 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP. Government requirements for cryptographic modules. This document contains the following sections: • Introduction, page 1 • The 2621XM/2651XM Router, page 2 • Secure Operation of the 2621XM and 2651XM routers. All rights reserved. Cisco Systems, Inc. Firmware Version: IOS 12.3(3d...
User Guide
Page 2
..., the modules, or the systems. Document Organization The Security Policy document is releasable only under appropriate non-disclosure agreements. The 2621XM/2651XM Router References This document deals only with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 2 OL-6262-01 More information is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600...
..., the modules, or the systems. Document Organization The Security Policy document is releasable only under appropriate non-disclosure agreements. The 2621XM/2651XM Router References This document deals only with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 2 OL-6262-01 More information is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600...
User Guide
Page 3
... virtual private networks or outsourced dial solutions. The 2621XM/2651XM Cryptographic Module Figure 1 The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600SERIES 99493 The 2621XM and 2651XM Routers are multiple-chip standalone cryptographic modules. The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to accommodate a WIC or...
... virtual private networks or outsourced dial solutions. The 2621XM/2651XM Cryptographic Module Figure 1 The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600SERIES 99493 The 2621XM and 2651XM Routers are multiple-chip standalone cryptographic modules. The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card. Cisco 2621XM and Cisco 2651XM Modular Access Routers with up to accommodate a WIC or...
User Guide
Page 4
... ports. they only serve as they greatly increase the router's flexibility. The module also has two other RJ-45 connectors on the rear panel with descriptions detailed in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the PCI bridge in the same way that they don...of two slots, which are similar to Network Modules in and out. The expansion bus interacts with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 4 OL-6262-01 When a Network Module is inserted into an adapter called the Network Module expansion bus. WICs interface directly with the cryptographic ...
... ports. they only serve as they greatly increase the router's flexibility. The module also has two other RJ-45 connectors on the rear panel with descriptions detailed in Table 1: Cisco 2621XM and Cisco 2651XM Modular Access Routers with the PCI bridge in the same way that they don...of two slots, which are similar to Network Modules in and out. The expansion bus interacts with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 4 OL-6262-01 When a Network Module is inserted into an adapter called the Network Module expansion bus. WICs interface directly with the cryptographic ...
User Guide
Page 6
...logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port WIC Interface ...Module Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port WIC Interface Network Module Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/...
...logical interfaces from FIPS 140-2 as described in Table 3: Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port WIC Interface ...Module Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port WIC Interface Network Module Interface Power Switch Console Port Auxiliary Port FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/...
User Guide
Page 7
...router, the Crypto Officer password (the "enable" password) is role-based. The module supports RADIUS and TACACS+ for the router. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 Crypto Officer Services ...additional accounts, thereby creating additional Crypto Officers. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs...
...router, the Crypto Officer password (the "enable" password) is role-based. The module supports RADIUS and TACACS+ for the router. Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 7 Crypto Officer Services ...additional accounts, thereby creating additional Crypto Officers. The 2621XM/2651XM Router Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued) Router Physical Interface 10/100BASE-TX LAN Port WIC Interface Network Module Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs...
User Guide
Page 8
...-set from specified IP address. • Change Network Modules-insert and remove modules in the Network Module slot as described in the "Initial Setup" section of this document. The IOS prompts the User for IP tunneling. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. Set keys ...Network Module slot, 2 WIC slots, on each IP range or allow plaintext packets to be removed (see Figure 5) to allow access to the motherboard, memory, and expansion slots. If the password is correct, the User is entirely encased by accessing the console port with AIM-VPN/EP...
...-set from specified IP address. • Change Network Modules-insert and remove modules in the Network Module slot as described in the "Initial Setup" section of this document. The IOS prompts the User for IP tunneling. Cisco 2621XM and Cisco 2651XM Modular Access Routers with a terminal program. Set keys ...Network Module slot, 2 WIC slots, on each IP range or allow plaintext packets to be removed (see Figure 5) to allow access to the motherboard, memory, and expansion slots. If the password is correct, the User is entirely encased by accessing the console port with AIM-VPN/EP...
User Guide
Page 9
...on the router as shown in Figure 6. Alcohol-based cleaning pads are included with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 9 The tamper evidence label... evidence label should be populated with an appropriate slot cover in order to remove a Network Module will leave tamper evidence. To seal the system, apply serialized tamper-evidence labels as shown...the router. Any attempt to operate in Figure 6. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not...
...on the router as shown in Figure 6. Alcohol-based cleaning pads are included with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 9 The tamper evidence label... evidence label should be populated with an appropriate slot cover in order to remove a Network Module will leave tamper evidence. To seal the system, apply serialized tamper-evidence labels as shown...the router. Any attempt to operate in Figure 6. Figure 5 Cisco 2621XM and Cisco 2651XM Chassis Removal The 2621XM/2651XM Router POWER RPS ACTIVITY Cisco 2600 SERIES 99497 Any NM or WIC slot, which is not...
User Guide
Page 10
...Zeroized when IKE session is the seed key for DH and RSA key generation. Any attempt to zeroize this key. The modules contain a cryptographic accelerator card (the AIM-VPN/EP), which include the following critical security parameters (CSPs): Table 4 Critical Security Parameters # CSP Name 1 CSP 1 ... the generation of the module cover. hence, it is stored in Diffie-Hellman (DH) exchange. All keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with ...
...Zeroized when IKE session is the seed key for DH and RSA key generation. Any attempt to zeroize this key. The modules contain a cryptographic accelerator card (the AIM-VPN/EP), which include the following critical security parameters (CSPs): Table 4 Critical Security Parameters # CSP Name 1 CSP 1 ... the generation of the module cover. hence, it is stored in Diffie-Hellman (DH) exchange. All keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with ...
User Guide
Page 11
...it frees the public key label which in the module binary image and can have two forms based on whether the key is related to be zeroized because it is a public key; NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-... deleted. This key does not need to the hostname or the IP address. DRAM (plaintext) The RSA public key of the DNS server. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP 11 12 CSP 12 13 CSP...
...it frees the public key label which in the module binary image and can have two forms based on whether the key is related to be zeroized because it is a public key; NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-... deleted. This key does not need to the hostname or the IP address. DRAM (plaintext) The RSA public key of the DNS server. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP 11 12 CSP 12 13 CSP...
User Guide
Page 12
... The TACACS+ shared secret. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 ...(plaintext) The RADIUS shared secret. The router itself to encrypt this key in the module binary image. The password retrieved from the local database. This password is zeroized by ... form of the CO role. One can be zeroized because (plaintext) it with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 12 OL-6262-01 Issuing the "no "...
... The TACACS+ shared secret. NVRAM (plaintext), DRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with a new password. The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 18 CSP 18 ...(plaintext) The RADIUS shared secret. The router itself to encrypt this key in the module binary image. The password retrieved from the local database. This password is zeroized by ... form of the CO role. One can be zeroized because (plaintext) it with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 12 OL-6262-01 Issuing the "no "...
User Guide
Page 15
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-...24 CSP 25 CSP 26 CSP 27 CSP 28 CSP 29 CSP 30 CSP 31 r dr w r r w d r r w d r r w d r w d r w d r w d r w d The module supports DES (only for legacy systems), 3DES, DES-MAC, TDES-MAC, AES, SHA-1, HMAC SHA-1, MD5, MD4, HMAC MD5, Diffie-Hellman, RSA (for digital signatures...
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 15 Table 5 Role and Service Access to CSPs (continued) The 2621XM/2651XM Router Role/Service User Role Status Functions Network Functions Terminal Functions Directory Services Crypto-...24 CSP 25 CSP 26 CSP 27 CSP 28 CSP 29 CSP 30 CSP 31 r dr w r r w d r r w d r r w d r w d r w d r w d r w d The module supports DES (only for legacy systems), 3DES, DES-MAC, TDES-MAC, AES, SHA-1, HMAC SHA-1, MD5, MD4, HMAC MD5, Diffie-Hellman, RSA (for digital signatures...
User Guide
Page 16
...exchanged manually and entered electronically. • Internet Key Exchange method with support for individual tunnels are directly associated with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 16 OL-6262-01 The pre-shared keys are functioning correctly. All Diffie-...Cisco 2651XM Modular Access Routers with that specific tunnel only via the IKE protocol. Please refer to the Description column of Table 4 for information on methods to be zeroized. Note After the router recovers from being released, it is important to test the cryptographic components of a security module...
...exchanged manually and entered electronically. • Internet Key Exchange method with support for individual tunnels are directly associated with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 16 OL-6262-01 The pre-shared keys are functioning correctly. All Diffie-...Cisco 2651XM Modular Access Routers with that specific tunnel only via the IKE protocol. Please refer to the Description column of Table 4 for information on methods to be zeroized. Note After the router recovers from being released, it is important to test the cryptographic components of a security module...
User Guide
Page 17
.../2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on the router as described in the "Physical Security" section of this router without maintaining the following settings will remove the module from the FIPS approved mode of any grease, dirt, or oil...
.../2651XM Router The Cisco 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP meet all the Level 2 requirements for detailed instructions on the router as described in the "Physical Security" section of this router without maintaining the following settings will remove the module from the FIPS approved mode of any grease, dirt, or oil...
User Guide
Page 18
... System Initialization and Configuration • The Crypto Officer must be at least 8 characters and is optional. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no other than its ... boot field must be possible. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 The password must perform the initial configuration. Configuring the module to use RADIUS or TACACS+, the Crypto-...
... System Initialization and Configuration • The Crypto Officer must be at least 8 characters and is optional. Secure Operation of the Cisco 2621XM/2651XM Router • The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no other than its ... boot field must be possible. esp-des Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 18 OL-6262-01 The password must perform the initial configuration. Configuring the module to use RADIUS or TACACS+, the Crypto-...
User Guide
Page 19
...://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 19 MD-4 and MD-5 for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. The Crypto officer must configure the module so that...
...://www.cisco.com Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 19 MD-4 and MD-5 for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. The Crypto officer must configure the module so that...