User Guide
Page 1
...-2 mode. More information about the FIPS 140-2 standard and validation program is the non-proprietary Cryptographic Module Security Policy for the Cisco 2811 and Cisco 2821 Integrated Services Router without an AIM card installed. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 1.3 November 23, 2005 Introduction This document is available on the NIST...
...-2 mode. More information about the FIPS 140-2 standard and validation program is the non-proprietary Cryptographic Module Security Policy for the Cisco 2811 and Cisco 2821 Integrated Services Router without an AIM card installed. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 1.3 November 23, 2005 Introduction This document is available on the NIST...
User Guide
Page 2
... the Cisco 2811 or Cisco 2821 router" section on the Cisco Systems website at www.cisco.com. • The NIST Validated Modules website (http://csrc.nist.gov/cryptval) contains contact information for answers to as additional references This document provides an overview of a FIPS 140-2 cryptographic module security policy. In addition to reduce costs. Cisco 2811 and Cisco 2821 Integrated Services Router...
... the Cisco 2811 or Cisco 2821 router" section on the Cisco Systems website at www.cisco.com. • The NIST Validated Modules website (http://csrc.nist.gov/cryptval) contains contact information for answers to as additional references This document provides an overview of a FIPS 140-2 cryptographic module security policy. In addition to reduce costs. Cisco 2811 and Cisco 2821 Integrated Services Router...
User Guide
Page 3
.... The Figure 2 shows the front panel and Figure 3 OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 3 The router has a processing speed of IP phone power output. Cisco 2811 and Cisco 2821 Routers The Cisco 2811 Cryptographic Module Physical Characteristics Figure 1 The Cisco 2811 router case 95551 SYS PWR AUX/ PWR SYS ACT CF COMPACT FLASH...
.... The Figure 2 shows the front panel and Figure 3 OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 3 The router has a processing speed of IP phone power output. Cisco 2811 and Cisco 2821 Routers The Cisco 2811 Cryptographic Module Physical Characteristics Figure 1 The Cisco 2811 router case 95551 SYS PWR AUX/ PWR SYS ACT CF COMPACT FLASH...
User Guide
Page 4
...failure detected No interrupts or packet transfer occurring System is servicing interrupts System is actively transferring packets No ongoing accesses, eject permitted Device is a separate security policy covering the Cisco 2811 and Cisco 2821 routers with this security policy. Table 1 and Table 2 ...LEDs, two PVDM LEDs, and two AIM LEDs. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 4 OL-8663-01 However, an AIM module may not be installed in table 1. Cisco 2811 and Cisco 2821 Routers shows the rear panel. There is busy, do not...
...failure detected No interrupts or packet transfer occurring System is servicing interrupts System is actively transferring packets No ongoing accesses, eject permitted Device is a separate security policy covering the Cisco 2811 and Cisco 2821 routers with this security policy. Table 1 and Table 2 ...LEDs, two PVDM LEDs, and two AIM LEDs. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 4 OL-8663-01 However, an AIM module may not be installed in table 1. Cisco 2811 and Cisco 2821 Routers shows the rear panel. There is busy, do not...
User Guide
Page 5
Cisco 2811 and Cisco 2821 Routers Table 2 Name PVDM1 PVDM0 AIM1 AIM0 Cisco 2811 Rear Panel Indicators State Off Solid Green Solid Orange Off Solid Green Solid...initialized AIM0 installed and initialized error Table 3 describes the meaning of Ethernet LEDs on the rear panel: Table 3 Cisco 2811 Ethernet Indicators Name Activity Duplex Speed Link State Off Solid/Blinking Green Off Solid Green One Blink Green Two ...the logical interfaces from FIPS 140-2 as described in the Table 4: OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 5
Cisco 2811 and Cisco 2821 Routers Table 2 Name PVDM1 PVDM0 AIM1 AIM0 Cisco 2811 Rear Panel Indicators State Off Solid Green Solid Orange Off Solid Green Solid...initialized AIM0 installed and initialized error Table 3 describes the meaning of Ethernet LEDs on the rear panel: Table 3 Cisco 2811 Ethernet Indicators Name Activity Duplex Speed Link State Off Solid/Blinking Green Off Solid Green One Blink Green Two ...the logical interfaces from FIPS 140-2 as described in the Table 4: OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 5
User Guide
Page 6
Tamper evident seal will be placed over the card in the future for smartcard or token reader. Cisco 2811 and Cisco 2821 Routers Table 4 Cisco 2811 FIPS 140-2 Logical Interfaces Router Physical Interface 10/100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot 10/100 Ethernet LAN Ports HWIC ... is considered an internal memory module, because the IOS image stored in the card may not be removed from the drive. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 6 OL-8663-01 The card itself must never be modified or upgraded.
Tamper evident seal will be placed over the card in the future for smartcard or token reader. Cisco 2811 and Cisco 2821 Routers Table 4 Cisco 2811 FIPS 140-2 Logical Interfaces Router Physical Interface 10/100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot 10/100 Ethernet LAN Ports HWIC ... is considered an internal memory module, because the IOS image stored in the card may not be removed from the drive. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 6 OL-8663-01 The card itself must never be modified or upgraded.
User Guide
Page 7
...Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 7 The interfaces for cryptographic operations. All of the functionality discussed in Figure 5and Figure 6, respectively. The router has a processing speed of the module is the device's case. Cisco 2811 and Cisco 2821 Routers The Cisco 2821 Cryptographic Module Physical Characteristics Figure 4 The Cisco 2821 router... 11A 4A CONSOLE AUX 100-240 50/60 V~ Hz 4A 95903 The Cisco 2821 router a multiple-chip standalone cryptographic module. Depending on configuration, either the internal ...
...Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 7 The interfaces for cryptographic operations. All of the functionality discussed in Figure 5and Figure 6, respectively. The router has a processing speed of the module is the device's case. Cisco 2811 and Cisco 2821 Routers The Cisco 2821 Cryptographic Module Physical Characteristics Figure 4 The Cisco 2821 router... 11A 4A CONSOLE AUX 100-240 50/60 V~ Hz 4A 95903 The Cisco 2821 router a multiple-chip standalone cryptographic module. Depending on configuration, either the internal ...
User Guide
Page 8
... rear panel. The front panel contains 4 LEDs that output status data about the system power, auxiliary power, system activity, and compact flash busy status. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 8 OL-8663-01 The front panel contains the following: • (1) Power inlet • (2) Power switch • (3) Console and...
... rear panel. The front panel contains 4 LEDs that output status data about the system power, auxiliary power, system activity, and compact flash busy status. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 8 OL-8663-01 The front panel contains the following: • (1) Power inlet • (2) Power switch • (3) Console and...
User Guide
Page 9
... 5 and Table 6 provide more detailed information conveyed by the LEDs on the front and rear panel of the router: Table 5 Cisco 2821 Front Panel Indicators Name State System Power Off Blinking Green Solid Green Solid Orange Auxiliary Power Off Solid Green Solid Orange Activity Off Blinking Green ... not installed AIM0 installed and initialized AIM0 installed and initialized error Table 7 describes the meaning of Ethernet LEDs on the front panel: OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 9
... 5 and Table 6 provide more detailed information conveyed by the LEDs on the front and rear panel of the router: Table 5 Cisco 2821 Front Panel Indicators Name State System Power Off Blinking Green Solid Green Solid Orange Auxiliary Power Off Solid Green Solid Orange Activity Off Blinking Green ... not installed AIM0 installed and initialized AIM0 installed and initialized error Table 7 describes the meaning of Ethernet LEDs on the front panel: OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 9
User Guide
Page 10
... link is established The physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the Table 8: Table 8 Cisco 2821 FIPS 140-2 Logical Interfaces Router Physical Interface 10/100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot VeNoM Slot 10/100 Ethernet LAN Ports HWIC... HWIC Ports Power Switch Console Port Auxiliary Port ENM Slot FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 10 OL-8663-01
... link is established The physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the Table 8: Table 8 Cisco 2821 FIPS 140-2 Logical Interfaces Router Physical Interface 10/100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot VeNoM Slot 10/100 Ethernet LAN Ports HWIC... HWIC Ports Power Switch Console Port Auxiliary Port ENM Slot FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 10 OL-8663-01
User Guide
Page 11
... be placed over the card in the card cannot be modified or upgraded. OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 11 There are not supported currently. and initiate diagnostic network services (i.e., ping, mtrace). • Terminal Functions-Adjust the terminal session (e.g., lock the terminal, adjust flow control). •...
... be placed over the card in the card cannot be modified or upgraded. OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 11 There are not supported currently. and initiate diagnostic network services (i.e., ping, mtrace). • Terminal Functions-Adjust the terminal session (e.g., lock the terminal, adjust flow control). •...
User Guide
Page 12
... establishment, or packet direction. • View Status Functions-View the router configuration, routing tables, active sessions, use gets to the motherboard, memory, AIM slot, and expansion slots. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 12 OL-8663-01 Each Filter... should be removed to allow plaintext packets to meet FIPS 140-2 Level 2 requirements, the router cannot be placed so that are recommended for IP tunneling. Cisco 2811 and Cisco 2821 Routers Crypto Officer Services During initial configuration of tampering.
... establishment, or packet direction. • View Status Functions-View the router configuration, routing tables, active sessions, use gets to the motherboard, memory, AIM slot, and expansion slots. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 12 OL-8663-01 Each Filter... should be removed to allow plaintext packets to meet FIPS 140-2 Level 2 requirements, the router cannot be placed so that are recommended for IP tunneling. Cisco 2811 and Cisco 2821 Routers Crypto Officer Services During initial configuration of tampering.
User Guide
Page 13
... label covers the enclosure and the other half covers the port adapter slot. OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 13 Figure 7 Cisco 2811 Tamper Evident Label Placement (Back View) Figure 8 Cisco 2811 Tamper Evident Label Placement (Front View) To apply serialized tamper-evidence labels to remove the...
... label covers the enclosure and the other half covers the port adapter slot. OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 13 Figure 7 Cisco 2811 Tamper Evident Label Placement (Back View) Figure 8 Cisco 2811 Tamper Evident Label Placement (Front View) To apply serialized tamper-evidence labels to remove the...
User Guide
Page 14
... show the tamper evidence label placements for all keys. The tamper evidence seals provide physical protection for the Cisco 2821. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 14 OL-8663-01 Cisco 2811 and Cisco 2821 Routers Step 5 Step 6 The tamper evidence label should be inspected for signs of tampering, which include the following: curled...
... show the tamper evidence label placements for all keys. The tamper evidence seals provide physical protection for the Cisco 2821. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 14 OL-8663-01 Cisco 2811 and Cisco 2821 Routers Step 5 Step 6 The tamper evidence label should be inspected for signs of tampering, which include the following: curled...
User Guide
Page 15
... will zeroize the pre-shared keys from the DRAM: OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 15 AES - The following are used to derive HMAC-SHA-1 key. See the Cisco IOS Reference Guide. "Clear Crypto IPSec SA" will zeroize the IPSec ...keys, and the CO role is allowed in the approved mode for pre-shared keys exchanged and entered electronically. - HMAC-SHA-1 The router is derived using the Diffie-Hellman key agreement technique) from the DRAM, the running configuration. Note: The module supports DH key sizes of...
... will zeroize the pre-shared keys from the DRAM: OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 15 AES - The following are used to derive HMAC-SHA-1 key. See the Cisco IOS Reference Guide. "Clear Crypto IPSec SA" will zeroize the IPSec ...keys, and the CO role is allowed in the approved mode for pre-shared keys exchanged and entered electronically. - HMAC-SHA-1 The router is derived using the Diffie-Hellman key agreement technique) from the DRAM, the running configuration. Note: The module supports DH key sizes of...
User Guide
Page 16
...skeyid_e DES/TDES The ISAKMP security association encryption key. The IKE session authentication key. Automatically after IKE session terminated. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 16 OL-8663-01 The module supports the following commands will zeroize the ...-1 The IKE key derivation key for X9.31 PRNG. Automatically after shared secret generated. Automatically after IKE session terminated. Cisco 2811 and Cisco 2821 Routers • no set session-key inbound ah spi hex-key-data • no set session-key outbound ah spi...
...skeyid_e DES/TDES The ISAKMP security association encryption key. The IKE session authentication key. Automatically after IKE session terminated. Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 16 OL-8663-01 The module supports the following commands will zeroize the ...-1 The IKE key derivation key for X9.31 PRNG. Automatically after shared secret generated. Automatically after IKE session terminated. Cisco 2811 and Cisco 2821 Routers • no set session-key inbound ah spi hex-key-data • no set session-key outbound ah spi...
User Guide
Page 17
Cisco 2811 and Cisco 2821 Routers Table 9 Cryptographic Keys and CSPs (Continued) ISAKMP preshared Secret The key used to Router authentication key 1 except that it is retrieved from the local database (on whether the key is related to the peer. The ...at runtime. Automatically when IPSec session terminated. NVRAM This key is used as this key because it with new password OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 17 Issuing the "no crypto isakmp key" command zeroizes it onto the peer. It is zeroized...
Cisco 2811 and Cisco 2821 Routers Table 9 Cryptographic Keys and CSPs (Continued) ISAKMP preshared Secret The key used to Router authentication key 1 except that it is retrieved from the local database (on whether the key is related to the peer. The ...at runtime. Automatically when IPSec session terminated. NVRAM This key is used as this key because it with new password OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 17 Issuing the "no crypto isakmp key" command zeroizes it onto the peer. It is zeroized...
User Guide
Page 18
...Relevant Data Item PRNG Seed r DH private exponent r DH public key r dr w d r w d r w d Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 18 OL-8663-01 However, the algorithm used to CSP Note: An empty entry indicates that... can be executed by Officer are shown "# command". . Table 10 Role and Service Access to encrypt this password is not FIPS approved....
...Relevant Data Item PRNG Seed r DH private exponent r DH public key r dr w d r w d r w d Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 18 OL-8663-01 However, the algorithm used to CSP Note: An empty entry indicates that... can be executed by Officer are shown "# command". . Table 10 Role and Service Access to encrypt this password is not FIPS approved....
User Guide
Page 19
... Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy DH public key skeyid skeyid_d skeyid_a skeyid_e IKE session encrypt key IKE session authentication key ISAKMP preshared IKE hash key secret_1_0_0 IPSec encryption key r r w d r r w d r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security...
... Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy DH public key skeyid skeyid_d skeyid_a skeyid_e IKE session encrypt key IKE session authentication key ISAKMP preshared IKE hash key secret_1_0_0 IPSec encryption key r r w d r r w d r r w d r r w d r r w d r r w d r r w r r w d r r w d r r w d r r w d OL-8663-01 Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security...
User Guide
Page 20
... Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy IPSec encryption key Configuration encryption key Router authentication key PPP Authentication key Router authentication key 2 SSH session key User password Enable password Enable secret RADIUS secret TACACS+ secret r r w d r r w w d d r r w d r dr w r r w d r r w d r r w d r w d r w d r w d r w d Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security...
... Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy IPSec encryption key Configuration encryption key Router authentication key PPP Authentication key Router authentication key 2 SSH session key User password Enable password Enable secret RADIUS secret TACACS+ secret r r w d r r w w d d r r w d r dr w r r w d r r w d r r w d r w d r w d r w d r w d Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security...